ad-w-a-r-e

blazenko · #1 16-12-04, 16:31

Hi

I'm suffering from "ad-w-a-r-e.com" pup-ups...

When i run HJT, all seems fine, apart from changes to hosts file:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

I've read about this malware, and tried all solutions i found, but none works. I've instaled VX2-remover add-on for AdAware, but when i run it, it keeps saying that system is clean. After long hestitation, I've also run look2me's Uninstaller... hestitation because if i understood well, look2me are the very authors of the [ah em!], but people seem to have had success by running the uninstaller... not me, however. Says "no version found to be removed"
I've also emptied ...../LocalSettings/Temp dir while in safe mode, and it removed most of the [ah em!] i had, but not these pop-ups... please help!!! i'm supposed to be working on a tight deadline but this [ah em!] has eaten up almost whole of my day...

Here's HJT log. Apart from Running Processes part (which is not visible when running/fixing HJT), all other items are ok and legal on my comp, expect those hosts changes, as i said... but maybe someone sees something i don't...

Thnx!!

Logfile of HijackThis v1.98.2
Scan saved at 17:32:36, on 16/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Install\HiJackThis etc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.monitor.hr/index2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src "); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.j s)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

<hr width=100% size=1>

Joe_London · #2 16-12-04, 21:37

Download the program Hoster which gives you the ability to restore the default host file back onto your machine. To do so, download the Hoster program and run it. When it opens, click on the Restore Original Hosts button and then exit Hoster.

Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.monitor.hr/index2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Download and run AD-AWARE SE. & Spybot Search & Destroy Delete anything they find.

Tutorials
Ad-Aware Second Edition Tutorial

Spybot Search & Destroy Tutorial

Click the reply button above, right, and post another log.

Joe.

<hr width=100% size=1>Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

blazenko · #3 17-12-04, 11:47

Thnx Joe

I did everything you said, including removing (HJT fixing) two items which i knew were ok, just in case (Links folder and start page)

Btw, Hoster fixes the hosts file, but it gets overwritten again within 5 seconds (i measured), even tho i set it to read-only (in Hoster)

The dreaded pup-ups still keep popping up...

Please help, someone! IT says everywhere that VX2 plugin for AdAware should remove this, but it doesn't! i'm going nuts!

Here's the log after all the recommended steps:

Logfile of HijackThis v1.98.2
Scan saved at 02:22:33, on 17/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\TextPad 4\TextPad.exe
D:\Install\HiJackThis etc\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src "); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.j s)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

<hr width=100% size=1>

blazenko · #4 17-12-04, 12:09

i should mention there's one more thing... whenever i boot, upon entering windows, i get a RUNDLL error, which says it's missing a dll for running UMonitor... name of the dll is each time different. Hopefully this might be a clue...

Thnx in advance for all help regarding this and ad-w-a-r-e popups!!

<hr width=100% size=1>

Joe_London · #5 17-12-04, 12:22

I think you may well have the new very hard to shift variant of the Look2Me infection. I'll have to take advice on this and get back to you later.

Joe.

<hr width=100% size=1>Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

blazenko · #6 17-12-04, 12:34

Thanx man!!

I think so too, look2me was much mentioned in what i've been able to find out about this, and i've read that the recommended solutions (which i have already tried) remove most but not all versions... seems i've been unlucky enough to get one of those others...

<hr width=100% size=1>

Joe_London · #7 17-12-04, 12:45

The good news is we have already had an occurrence of this here and we believe we have a fix. Bear with me while I consult my colleagues about it. If our suspicions are right we should be able to sort it.

In the meantime can you try to remember when this occurred? This date is very important I understand to identify the bad files.

Joe.

<hr width=100% size=1>Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

blazenko · #8 17-12-04, 12:54

Yup, i contracted the ******* yesterday, 16. Dec...

<hr width=100% size=1>

Joe_London · #9 17-12-04, 14:12

OK lets try this:

Download FindIt.zip and unzip it
to your desktop.

Open the FindIt folder and run the Find.bat file.

A text file called Output.txt will be created.
Save this file and post it's contents in your next reply along with the new HijackThis log.

Joe

<hr width=100% size=1>Joe London's WebSite
Man is the only animal that blushes -- or needs to.
\n\n>-- Mark Twain

blazenko · #10 17-12-04, 15:28

Thnx Joe

I ran Find.bat, and while DOS window was open, i got the following notification:
16-bit MS-DOS-subsystem (<---title)
C:\WINNT\System32\cmd.exe
C:\WINNT\SYSTEM32\AUTOEXEC.NT. System file is not suitable for MS-DOS and MS Windows use. Click Close to close the application.

(perhaps it's usually a bit differantly worded, i was translating from Dutch)

I had to click [Close] on it for about 5 - 6 times (it would pop up again immediately)

In the end, this is the Output.txt i got from it:

================================
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 02:40 224,396 q2pslc771f.dll
17/12/2004 02:40 <DIR> dllcache
17/12/2004 02:38 224,124 kt0ql7d51.dll
16/12/2004 16:45 224,830 vat3216.dll
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
5 bestand(en) 1,062,502 bytes
1 map(pen) 23,120,609,280 bytes beschikbaar

------- Hidden Files in System32 Directory -------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 02:40 <DIR> dllcache
19/11/2004 16:42 389,120 ??rvices.exe
08/09/2003 19:49 32 {7D0AEB06-FD45-4295-A180-74DB2263BF4E}.dat
08/09/2003 19:41 <DIR> GroupPolicy
08/09/2003 19:37 21,825 folder.htt
08/09/2003 19:37 271 desktop.ini
4 bestand(en) 411,248 bytes
2 map(pen) 23,120,605,184 bytes beschikbaar

---------- Files Named "Guard" -------------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 12:17 224,124 guard.tmp
1 bestand(en) 224,124 bytes
0 map(pen) 23,120,605,184 bytes beschikbaar

--------- Temp Files in System32 Directory --------

De volumenaam van station C is LOLEK
Het volumenummer is B490-F09F

Map van C:\WINNT\System32

17/12/2004 12:17 224,124 guard.tmp
23/08/2001 15:00 74,802 atl.dll.tmp
11/01/2000 01:00 2,828 CONFIG.TMP
3 bestand(en) 301,754 bytes
0 map(pen) 23,120,605,184 bytes beschikbaar

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{660BB81E-52DD-4E8D-9E18-833B59364B80}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Drivers]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\alsmib.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Version"="126"
"ID"="{DA4F8A68-7BFD-422D-98EB-413EE73902B1}"
"IDex"="VT00"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\kt0ql7d51.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Locked Files -----------------

-------------- XFind Qoologic Results --------------

-------------- XFind Aspack Results ---------------

-------------- Locate.com Results ---------------

================================

After that i ran HJT and this is the log:

================================
Logfile of HijackThis v1.98.2
Scan saved at 16:33:29, on 17/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE
C:\WINNT\System32\internat.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Macromedia\Flash MX\Flash.exe
C:\Program Files\Adobe\Photoshop 5.5\Photoshp.exe
C:\Program Files\TextPad 4\TextPad.exe
D:\Install\HiJackThis etc\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C:\Program Files\Netscape\Netscape\searchplugins\SBWeb_01.src "); (C:\Documents and Settings\Fractalizer.exe\Application Data\Mozilla\Profiles\default\7lvly8qc.slt\prefs.j s)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.113-big.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm

================================

<hr width=100% size=1>

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts

Search