Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Brower Hijacked (resolved)

Started by EmilyPam , May 13 2005 01:57 PM

This topic is locked

#1
EmilyPam

Posted 13 May 2005 - 01:57 PM

Member

Member
75 posts

I have followed all the instructions given and still browser did not go back to orginal settings.

Thanks for all your help!

Here's my log
Logfile of HijackThis v1.99.1
Scan saved at 2:45:56 PM, on 5/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {5141982A-A40A-4CA7-B056-0D5D97119C00} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5141982A-A40A-4CA7-B056-0D5D97119C00} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115315404449
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.com/...id/MSSurVid.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.com/...ior/Outside.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmat...MMLRadio_Nt.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\Software\..\Telephony: DomainName = hsserver.HSTART
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F69BEAE-6AD7-491C-B6FC-208502694D73}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O19 - User stylesheet: C:\WINNT\stsheets.dat
O21 - SSODL: ubHPKkltgC - {9C1A3319-36B0-99B3-538A-1C8297A31C5E} - C:\WINNT\System32\skxvl.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#2
Guest_usetobe_*

Posted 18 May 2005 - 03:06 AM

Guest

Hi Emilypam,

Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe

#3
EmilyPam

Posted 18 May 2005 - 12:13 PM

Member

Topic Starter
Member
75 posts

Yes I still need help.......!!!! :tazz:

Here's my latest log

Logfile of HijackThis v1.99.1
Scan saved at 1:08:07 PM, on 5/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115315404449
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\Software\..\Telephony: DomainName = hsserver.HSTART
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F69BEAE-6AD7-491C-B6FC-208502694D73}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O19 - User stylesheet: C:\WINNT\stsheets.dat
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

thanks so much for you help!

#4
Guest_usetobe_*

Posted 19 May 2005 - 03:31 AM

Guest

Hi Emily,

Please click on the link below to download this program:
Find.zip

*Right-click on your desktop and go to New > Folder - name it HJT.
*Download "Find.zip" to the HJT folder that you made. Make sure to Extract All Files!
*Double Click "Find.bat" and let it scan the PC, takes only seconds!
*Look back in the Folder you downloaded to (HJT) and locate "Report.txt"
*Double Click "Report.txt" and Copy the entire contents of the log and paste it here. It's going to be a very short log.

#5
EmilyPam

Posted 19 May 2005 - 08:05 AM

Member

Topic Starter
Member
75 posts

Hi Usetobe,

I clicked on the link that you wanted me to download but a search page came up. I also wanted to let you know that I downloaded a program called Adware Away at adwareaway.com and I also download a registry cleaner from tweaknow.com. I ran both programs and now it looks like this computer is back to normal! No more hijacked browser! I ran all my scans over again after running these programs and now my scans are saying that they are not finding anything wrong with this computer. I also installed an antispyware program in case of future problems and made sure that all updates have been installed. So I am going to cross my fingers and hope that everything is okay!

Em :tazz:

Here's my latest log.....

Logfile of HijackThis v1.99.1
Scan saved at 9:08:22 AM, on 5/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\PurgeIE\PurgPro_Service.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

O1 - Hosts: 1159680172 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115315404449
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\Software\..\Telephony: DomainName = hsserver.HSTART
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F69BEAE-6AD7-491C-B6FC-208502694D73}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

Edited by EmilyPam, 19 May 2005 - 08:10 AM.

#6
Guest_usetobe_*

Posted 20 May 2005 - 05:09 AM

Guest

Hi Em,

There are still some areas of conern in your HJT log.

Firstly there is no evidence of any anti-virus in your last two HJT logs, please activate your anti-virus immediately.

Please download the following free 14 day trial of Ewido. Install it, follow instructions to update it then close it down.

Ewido

Download the following program.

Cleanup. But do not run it yet.

Carry out a free online virus scan at the following link. Enter name, for company type anything you like and add email in relevent boxes. Allow to fix any problems it may find.

Kaspersky

Now reboot PC into SAFE MODE by tapping the F8 key whilst PC restarts.
Select SAFE MODE.

Now run HJT and check the following entries.

O1 - Hosts: 1159680172 auto.search.msn.com
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\Software\..\Telephony: DomainName = hsserver.HSTART
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31

Ensure no windows open except HJT and click fix checked.

Now using windows explorer locate and delete the following file

C:\WINNT\web\related.htm

Now Run cleanup to clear out temp files junk etc.

Now run ewido, click on the Scanner button, Select C drive if you have more than one and then start.

grab a cup of coffee, sandwiches, book as may will take some time. Once the first problem is detected ensure you tick the box for all (bottom left) and allow it to continue.

At the end of the scan, it may ask if you would like to delete anything found in archive or zipped files, OK that request, then click on save report. SAVE to the default location, it will then generate a text file. Copy that to post in this thread.

Carry out another HJT scan and post the log back here, so we can sort out any remnants

Edited by usetobe, 20 May 2005 - 05:11 AM.

#7
EmilyPam

Posted 20 May 2005 - 12:50 PM

Member

Topic Starter
Member
75 posts

Hi Usetobe!

Wanted to update you so you dont think i bailed on you. I already have ewido on my computer. I downloaded the cleaner. I am running the scan now. Our office is closing early today so i cant run the cleaner and the hijack today

So I will come back monday morning and finish up and I will then post the new log! Thanks again for all your help. :tazz:

#8
EmilyPam

Posted 23 May 2005 - 12:49 PM

Member

Topic Starter
Member
75 posts

Okay Usedtobe ~~~ Here we go...
I ran that first scan that you asked me too! Wow...my winnt folder was infected! I followed your instructions to the T. Here is the Ewido report.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:34:00 PM, 5/23/2005
+ Report-Checksum: 4B18560F

+ Date of database: 5/23/2005
+ Version of scan engine: v3.0

+ Duration: 21 min
+ Scanned Files: 28035
+ Speed: 21.40 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: No

+ Scanned items:
C:\

+ Scan result:
No infected files found!

::Report End

And here is my latest log that you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:32 PM, on 5/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115315404449
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F69BEAE-6AD7-491C-B6FC-208502694D73}: NameServer = 199.166.31.3,199.5.157.128
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: PurgPro XP Service (PurgProService) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgPro_Service.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

Please know how it looks! Thanks :tazz:

#9
Guest_usetobe_*

Posted 23 May 2005 - 01:03 PM

Guest

Hi Emily Pam,

There is one area of concern....Please update Windows to SP2 as you have no service packs and are wide open to vulnerabilities.

SP2

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

#10
EmilyPam

Posted 23 May 2005 - 03:12 PM

Member

Topic Starter
Member
75 posts

Okay...this is turning out to be a good day!

I installed SpyBlaster, installed Service Pack 2, and got an antivirus program.

Everything seems to be running better than ever. Thank you for taking your time to help me. I really appreciate it. :tazz:

I love this place....

Em

Hopefull this is my last log...lol

Logfile of HijackThis v1.99.1
Scan saved at 4:11:37 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis.exe

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115315404449
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O17 - HKLM\Software\..\Telephony: DomainName = hsserver.HSTART
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F69BEAE-6AD7-491C-B6FC-208502694D73}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hsserver.HSTART
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe