I have a trojan that changes my homepage every time I reboot. It changes to HTTP://up-search.com/index HTML.
When I click home in IE 6 Avast alerts me to the infection. The location is C:Windows\System\xdldr24.exe, and C:xdldr17.exe, and it also goes into C:recycled, and also spreads to program files after doing a complete drive scan. My system is windows 98 SE. If I change my homepage in explorer after reboot the trojan is not activated. But it is frustrating to have to search 80gb hd every time this happens. How do I get rid of this home page! It is there every reboot! Thanx for any help. MarkDisco
That is not a trojan, that is called a Browser Hijacker. Please get HijackThis and post the log here. Let us remove that bastard ;D
I think I am going to install spybot s&D and see if it gan get rid of this browser hijacker. I will post the result. I was fearfull of using spyware detection because it can mess up things if you don’t know what you’re doing. But it appears I have no choice. dont feel comfortable downloading anything I am not familiar with such as hijack this just yet. thanks for the replys!
Good thing that you do not install anything that is recommended by others. (thumbs up) But trust me, I know HijackThis. You can read about it at THIS thread. I also know Merijn (the creater of HijackThis personally)
THIS is my website about cleaning a system and may have some usefull info for you.
Spybot S&D is a good choice, but … there is no application that will detect ALL harmfull things. So you need more. Personally I can recommend using: Avast, Spybot s&d, Ad-Aware and Hijackthis.
Good luck and let me (us) know how it is going. And don’t be afraid to ask us to help you
OK so I installed hijack this just now and it says that I must know what to delete. I assume I will delete anything pertaining to the up-search.com/index html? I am going to wait for the helpful user that suggested hijack this to confirm my actions are correct.
thanx MarkDisco
Here is the log file from hijack this!
Logfile of HijackThis v1.98.2
Scan saved at 2:52:44 PM, on 8/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISCHED.EXE
C:\PROGRAM FILES\OPTIX\OSTART.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\IDETOOL\IDETOOL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://up-search.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [Microsoft Works Update Detection] -C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM..\Run: [WorksFUD] -C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] -C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM..\Run: [TaskMonitor] -C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM..\RunServices: [SchedulingAgent] -C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU..\Run: [ATI Scheduler] C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISched.EXE
O4 - Startup: OPTISTART.lnk = C:\Program Files\OptiX\ostart.exe
O4 - Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
Oh! What the heck I am just going to check all the R1 and R0 entries that refer to up-search. I hope this doesn’t hurt anything.
MarkDisco
Eddy, I’m really going to do this now, hope you are there to confirm my rash actions. Heplpplplpl!
It shouldn’t do any harm if you only click them R1 and R2’s, but im not an expert, EDDY is though, i swould suggest you wait for him, there are a couple of other stuff there that you don’t need on start up, but as i say, eddy is the expert.
–lee
Patience my friends, although some think I am a robot, I am not. Well at least till proven otherwise ;D
My analyzer says remove these:
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o16 - dpf: {89d75d39-5531-47ba-9e4f-b346ba9c362c} (cwdl_downloadcontrol class) - http://www.callwave.com/include/cab/cwdl_download.cab
Have a look HERE to see what my German friend has found and advise.
Fix ALL the things we say and research the things currently unknown to us with GOOGLE.
I will look further into the log and add new data to the next version of my log analyzer.
Do NOT fix anything I and that site don’t know untill you have researched it on google or get a word from us to remove it. HijackThis is very powerfull and you can (if used wrong) get into troubles if you do.
Well if you do deleat something that you wasn’t suppost to, it is fine asllong as you can still startup/run the pc, because you can use the back ups hijackthis creats when it deleats the registry keys, and even if you can’t start up the pc, you can just run the comp in command promt, then type scanreg /restore , then restore to the last time you sucsessfully resarted your comp, but i have only ever restored the registry on win98 SE.
Bu i always take chances with comps, thats how you learn in my opinon :D, even in life.
–lee
o16 is my callwave internet answering machine service.
So I won’t delete that! I pay about $4.00 US/mo for the call forwarding sevice when I am online to get phone messages. Maby you are not familiar with callwave as it is a service here in Washington USA.
MarkDisco
o9 extra button could be related to my microsoft internet pro keyboard software to assign new functions to buttons on my keyboard.
MarkDisco
deleted all R1 and R0 entries and they all came back after reboot. Here is the second log file from hijackthis.
Logfile of HijackThis v1.98.2
Scan saved at 4:18:53 PM, on 8/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISCHED.EXE
C:\PROGRAM FILES\OPTIX\OSTART.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\IDETOOL\IDETOOL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://up-search.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://up-search.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://up-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://up-search.com/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [Microsoft Works Update Detection] -C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM..\Run: [WorksFUD] -C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] -C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM..\Run: [TaskMonitor] -C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM..\RunServices: [SchedulingAgent] -C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU..\Run: [ATI Scheduler] C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISched.EXE
O4 - Startup: OPTISTART.lnk = C:\Program Files\OptiX\ostart.exe
O4 - Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
MarkDisco
I am now rescanning my entire 80gb hard drive again to see if any straggler programs are there.
MarkDisco
Anybody got a HAMMER!
I am very busy atm. Please go HERE and copy/paste the log there. Fix everything that is reported as bad. Than create a new log and post it here.
We did it! This computer is now clean!
I removed two more entries besides the R1 and R0’s.
They were the ones the German fellow’s analyzer identified as needs fixed.
they were>>>>
O4 - HKLM..\Run: [taskmanager] c:\windows\taskmgr.com
and>>>
O4 - HKLM..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
After deleting R1, R0, and these two files I rebooted the system and got this new log file>>>>>
Logfile of HijackThis v1.98.2
Scan saved at 4:35:36 PM, on 8/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISCHED.EXE
C:\PROGRAM FILES\OPTIX\OSTART.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\IDETOOL\IDETOOL.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [Microsoft Works Update Detection] -C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM..\Run: [WorksFUD] -C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM..\Run: [Microsoft Works Portfolio] -C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [TaskMonitor] -C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM..\RunServices: [SchedulingAgent] -C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU..\Run: [ATI Scheduler] C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISched.EXE
O4 - Startup: OPTISTART.lnk = C:\Program Files\OptiX\ostart.exe
O4 - Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
Thank you to everyone and keep your hammers!
MarkDisco