Logfile of HijackThis v1.97.7
Scan saved at 17:47:49, on 07/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\msapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\vbrun.exe
C:\WINDOWS\winh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AOL8~1.0\aoltray.exe
C:\PROGRA~1\AOLCOM~1\COMPAN~1.EXE
C:\PROGRA~1\KODAK\KODAKE~1\bin\EASYSH~1.EXE
C:\PROGRA~1\KODAK\KODAKS~1\7288971\Program\BACKWE~1.EXE
C:\PROGRA~1\BRODER~1\MAVISB~1\MINIMA~1.EXE
C:\PROGRA~1\CASIO\PHOTOL~1\Plauto.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\System32\shellexp.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Documents and Settings\S Archibald\Application Data\awab.exe
C:\WINDOWS\System32\wnscpsu.exe
C:\WINDOWS\OUEUPVWBJ.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://tooncomics.com/main/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://brutal-video.net/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gmki.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gmki.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://in.webcounter.cc/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://drusearch.com/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gmki.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL =
http://brutal-video.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\gmki.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\gmki.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://drusearch.com/search.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://in.webcounter.cc/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\gmki.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://teenhqpics.com/r/scr.phpR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = C:\WINDOWS\homepage.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search =
http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search =
http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant =
http://www.sharempeg.com/find/R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch =
http://www.sharempeg.com/find/R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
http://1-se.com/srchasst.html (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\WINDOWS\System32\msxslab.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA2} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem217.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msole.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: (no name) - {E94D5FDD-C46D-4F5A-8761-C81CD5AE3BE8} - C:\WINDOWS\System32\gmki.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKLM\..\Run: [Internat Conf] \bootconf.exe
O4 - HKLM\..\Run: [host] C:\WINDOWS\system32\hosts.vbs
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VB_run] C:\WINDOWS\vbrun.exe
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Run: [AOL 8.0 Tray Icon.lnk] C:\PROGRA~1\AOL8~1.0\aoltray.exe -check
O4 - HKLM\..\Run: [AOL Companion.lnk] C:\PROGRA~1\AOLCOM~1\COMPAN~1.EXE /s
O4 - HKLM\..\Run: [Kodak EasyShare software.lnk] C:\PROGRA~1\KODAK\KODAKE~1\bin\EASYSH~1.EXE -h
O4 - HKLM\..\Run: [KODAK Software Updater.lnk] C:\PROGRA~1\KODAK\KODAKS~1\7288971\Program\BACKWE~1.EXE
O4 - HKLM\..\Run: [Microsoft Office.lnk] C:\PROGRA~1\MICROS~3\Office\OSA9.EXE -b -l
O4 - HKLM\..\Run: [Personal Coach.lnk] C:\PROGRA~1\BRODER~1\MAVISB~1\MINIMA~1.EXE
O4 - HKLM\..\Run: [Photo Loader supervisory.lnk] C:\PROGRA~1\CASIO\PHOTOL~1\Plauto.exe
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexp.exe en
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\System32\olehelp.exe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\System32\realupd.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKCU\..\Run: [Surs] C:\Documents and Settings\S Archibald\Application Data\awab.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsu.exe
O4 - HKCU\..\Run: [VWMTFRFGQXWJJ] C:\WINDOWS\POOAUAYRKPVV.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Photo Loader supervisory.lnk = ?
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
http://prolivation.com/cgi-bin/r.cgi?
O13 - WWW Prefix:
http://searching-the-net.com/notfound/?
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O16 - DPF: YExplorer1_8US.CAB -
http://photos.groups...plorer1_8us.cabO16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) -
http://63.219.181.7/cax.cabO16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!
http://d.dialer2004.....chm::/load.exeO16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!
http://213.159.117.2...uka.chm::/x.exeO16 - DPF: {11111111-1111-1111-1111-111111111111} - file://c:\info6_s.cab
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!
http://super-gals.co.../x.chm::/ad.exeO16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) -
http://www.xxxtoolba...006_regular.cabO16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
http://download.micr...b?1083867327799O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) -
http://c.coolshader....aler/eu_cax.cabO16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.micr...922/wmv9VCM.CABO16 - DPF: {5053A978-5972-4D8E-BEC7-3E8D4BC6B830} (AXLoader Class) -
http://dvdmoviescorp.com/dp5000.dllO16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) -
http://www2.flingsto...TInc/bridge.cabO16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) -
http://www.mt-downlo...tsInstaller.cabO16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -
http://www.microsoft...ols/SassCln.CABO16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) -
http://66.230.146.53/EPlugin_GB.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{7BFD6B9D-E642-4394-B450-CB6272755EBB}: NameServer = 195.93.34.134
O19 - User stylesheet: C:\WINDOWS\color.css
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)