winsystem32xp.exe - W32/Spybot.KAM

My virusscanner (F-Prot antivirus) detected this file :
winsystem32xp.exe - W32/Spybot.KAM

But when I search for it on my comp I could never find the file. So I googled that file and it’s called a W32.Kelvir.W worm and I deleted it with Symantec.
My computer is still being weird and slow though.
This time I used NoAdware to scan my computer and all these weird pif.files came up. NoAdware doesnt delete the files though, it just scans.

I searched for .pif files on my computer and a few files came up, but i had to switch of my pc, cause the screen began shaking and being all weird =S.

All I want to know is how to delete .pif files and how can i know if the worm was really deleted from my computer.
My computer is surely still infected

Oh a few times this small black window came on to my screen and it said somethign like : “Don’t worry…Killing all the pests”.
Well it was something like that =/. So I don’t know if that was a hacker that was typing something to me :o

Please read and follow the instructions on THIS PAGE

NoAdware is junk: bin it and get some decent anti-spyware programs.

http://www.pcworld.com/news/article/0,aid,118362,pg,1,00.asp

You can find links for two effective anti-spyware programs , Ad-Aware and Spybot Search & Destroy, in the article.

NoAdware is junk for sure…so I uninstalled it.

Anway thanx a lot for that link :slight_smile:
I downloaded AdAware and Spybot S&D.

I also downloaded Hijackthis and it warned me to ask spyware experts what I should and shouldn’t delete.

So now a have all these files that Hijackthis detected and I don’t know what I should delete. I hope somebody can help me with this.

So this is what showed up on the logfile :o :

Logfile of HijackThis v1.99.1
Scan saved at 20:46:38, on 11/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\NL\MSNAPPAU.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-SCHED.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-STOPW.EXE
C:\PROGRAM FILES\FSI\F-PROT\FPAVUPDM.EXE
F:\SHAREAZA\SHAREAZA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\MIJN DOCUMENTEN\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tfmcquocloippvi.com/5qG9/HO_zzdhnxLHDJL6owvtJBTTIWqNFPmuOwKWQKbyk72rsGkkFMoLpTlVgdR3.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\MSLAGENT\4B_1,0,1,1_MSLAGENT.DLL (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [$EnterNet] C:\PROGRA~1\NTS\WANADO~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [msnappau] “c:\program files\MSN Apps\Updater\01.02.3000.1001\nl\msnappau.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [REGRUN] C:\FAW32.EXE
O4 - HKLM..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM..\Run: [F-STOPW.EXE] “C:\Program Files\FSI\F-Prot\F-STOPW.EXE”
O4 - HKLM..\Run: [FRISK_MONITOR] “C:\Program Files\FSI\F-Prot\fpavupdm.exe” /RAP
O4 - HKLM..\Run: [Trust Flaw Sect Data] C:\WINDOWS\Application Data\creativesettingstrustflaw\Second debug.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe”
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM..\RunOnce: [SpybotSnD] “C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE” /autocheck
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] D:\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe” /WinStart
O4 - HKCU..\Run: [Shareaza] “F:\SHAREAZA\SHAREAZA.EXE” -tray
O4 - HKCU..\Run: [TypingSatellite] “C:\PROGRAM FILES\TYPINGMASTER\KBOOST.EXE”
O4 - HKCU..\Run: [Deafweb] C:\WINDOWS\APPLIC~1\LONGOO~1\bin drv frag.exe
O4 - HKCU..\Run: [MMZQ] C:\PROGRAM FILES\COMMON FILES\MMZQ\MMZQM.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL (file missing)
O18 - Filter: text/html - {47A0A780-ADE4-11D9-8D2E-00E0ED065C1D} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.26.DAT

Can you confirm you have run Ad-Aware and Spybot because they will automatically fix a lot of problems?

Also please get and use THIS APPLICATION
It is a analyzer for the HJT log. It is not perfect, but do as the results tell you and post a new log after doing so here. You got a LOT of applications loading at boottime which are not needed.

I did use AdAware and Spybot and it deleted a lot of stuff.
I used that link of you Eddy, but it didnt help me.
Every time I click on HiLOA it opens for 2 seconds and than it dissapears. I saw something with the word ‘error’ though.

I know I have a lot running, but i don’t even know what all those are. So I don’t know what to do.

:-\

thnx anyway for helping :slight_smile:

Hi Shakie_ononi,

your analysis is available here for 3 days:

http://www.hijackthis.de/logfiles/b289dae913e6c7ce98b6fede7495bd6c.html

The analysis produced this warning:

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one.

A couple of the entries may or may not be Malware, so could you do a double check scan with a Squared anti-Trojan scanner?

http://www.emsisoft.com/en/

When you have done that, run HijackThis! again and check these items if still present and click ‘fix’.

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\MSLAGENT\4B_1,0,1,1_MSLAGENT.DLL (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O18 - Filter: text/html - {47A0A780-ADE4-11D9-8D2E-00E0ED065C1D} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.26.DAT

If these entries are still present, please search for the files and submit to Jotti’s scanner to check them out:

http://virusscan.jotti.org/

O4 - HKLM..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
O4 - HKCU..\Run: [MMZQ] C:\PROGRAM FILES\COMMON FILES\MMZQ\MMZQM.EXE

The first two may be legit on some systems; the third is an unknown.

The following is listed as a nasty but does seem to be a legit MSN component.

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL

If everything comes up clean, download and install a firewall: this is critical!!

Hi :slight_smile:

Ok , this is what I did. Some other forum helped me out a bit too and told me to download some stuff so I can scan.

I allready downloaded Adware and Spybot…both didn’t find anything after a few scans.

With these following programs a scanned more than once:

1. So I used Trend Micro, it found a lot of CWS, but only deleted 1 and i scanned again and again. It found the same CWS, but again it deleted the same CWS as before =/.

2. After that I used About Buster that didnt find anything with the first scan

3. Then I downloaded TDS-3 , it had 3 alarms and it got deleted

4. Trojan Hunter found 3 trojans and deleted them.

5. BOClea didn’t find anything the first time.

6. A2 Free (a-squared) found one malware and deleted it. After that I scanned a couple of times, but only cookies came up.

With Hijack I fixed:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {ACB3E0B7-7D0C-40B7-99B3-3EEACDF86BFB} - C:\WINDOWS\MSLAGENT\4B_1,0,1,1_MSLAGENT.DLL (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

it didn’t had this file anymore on hijack:
O18 - Filter: text/html - {47A0A780-ADE4-11D9-8D2E-00E0ED065C1D} - C:\WINDOWS\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\V0.26.DAT

So I scanned again and those 3 files didn’t came up.

I used Jotti’s scanner on this file:
O4 - HKLM..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe

and nothign was found.

This wasn’t on Hijackthis scan anymore:
O4 - HKLM..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll

and I couldn’t find the unknown file (mmzq.exe) to scan it.

And MSN is being annoying =/. I’m working on that one though.
Or should I delete it? And maybe install msn again?

Thnx anyway :slight_smile: :slight_smile:

Oh this is my new logfile.
I hope everything is good now,but I just saw this file is still running ???
C:\WINDOWS\SYSTEM\KERNEL32.DLL

Logfile of HijackThis v1.99.1
Scan saved at 20:01:17, on 13/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\NL\MSNAPPAU.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\MIJN DOCUMENTEN\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hfntdsvlca.com/5qG9/HO_zzdhnxLHDJL6owvtJBTTIWqNFPmuOwKWQKZQKFW4edERvMoLpTlVgdR3.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {267ECAE1-D21B-E15D-7003-10F9FB68513E} - C:\WINDOWS\APPLICATION DATA\MFCD ONE SOFTWARE\USERCLOSE.EXE
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [$EnterNet] C:\PROGRA~1\NTS\WANADO~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [msnappau] “c:\program files\MSN Apps\Updater\01.02.3000.1001\nl\msnappau.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [REGRUN] C:\FAW32.EXE
O4 - HKLM..\Run: [Trust Flaw Sect Data] C:\WINDOWS\Application Data\creativesettingstrustflaw\Kind Delete.exe
O4 - HKLM..\Run: [THGuard] “C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE”
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe”
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] D:\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU..\Run: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe” /WinStart
O4 - HKCU..\Run: [Shareaza] “F:\SHAREAZA\SHAREAZA.EXE” -tray
O4 - HKCU..\Run: [TypingSatellite] “C:\PROGRAM FILES\TYPINGMASTER\KBOOST.EXE”
O4 - HKCU..\Run: [Deafweb] C:\WINDOWS\APPLIC~1\LONGOO~1\bin drv frag.exe
O4 - HKCU..\Run: [MMZQ] C:\PROGRAM FILES\COMMON FILES\MMZQ\MMZQM.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL (file missing)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL (file missing)

I deleted everything of Yahoo, so that’s why the files are missing

Hi shakie_anoni,

Here is your new analysis:

http://www.hijackthis.de/logfiles/ee6d40da1dbc462d76b7308b36ccd591.html

You can fix anything which says ‘file missing’ just to tidy up.

I think this entry is safe:

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

http://www.wilderssecurity.com/showthread.php?t=29034&goto=nextoldest

KERNEL32.DLL is ok:

http://www.liutilities.com/products/wintaskspro/processlibrary/kernel32/

Have you tried changing Windows’ settings to show hidden and system files?

http://www.computertips.com/Windows/Windows98/My%20Computer/19971219003.htm

Do this and look for mmzq.exe again in safe mode. If you find it, rename it and reboot. What happens? Submit it to Jotti’s multi engine virus scanner:

http://virusscan.jotti.org/

If it is detected as malware, delete the file and fix the entry with HijackThis!

Your HijackThis analysis is still giving this warning:

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses. No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one.

You need to install a firewall urgently.

When using HiLoA you likely forgot to save the HijackThis log as “hijack.log”
That’s why you did get the error and the application didn’t run.
Or you need to use winrep (as explained in the readme.txt)
Anyway, thanks for telling. I now know that I should have a look at it and change it so the error stays visible a bit longer so people can read it :smiley:

Fix these ones also with HijackThis:
c:\program files\msn apps\updater\01.02.3000.1001\nl\msnappau.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hfntdsvlca.com/5qG9/HO_zzdhnxLHDJL6owvtJBTTIWqNFPmuOwKWQKZQKFW4edERvMoLpTlVgdR3.jpg

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM..\Run: [msnappau] “c:\program files\MSN Apps\Updater\01.02.3000.1001\nl\msnappau.exe”

And have a look at the lines that start with 04.
They load things when Windows boots.
It is ofcourse up to you, but imo there are a lot of things there that are not needed to load at boot time.

Hi Frank :slight_smile:

I fixed all the files that said ‘file missing’.

I changed the setting to show hidden files, but I still couldn’t find mmzq.exe .

I downloaded some AV scanners:

Trend Micro: Deleted 8 viruses and 1 worm

E -Trust: Found nothing

F-Secure: Found pxkadjze.exe , but it wouldn’t
remove from my computer. =/

eScan: 126 errors :o —> 22 virusses
It had a really LONG logfile, I don’t know if I
should post it here.

Symantec Norton: It found ‘Adware.VirtualBouncer’. I
removed the file from my computer.

RAV: 2 suspicious files and 73 mail files ( don’t
know what that is) This scanner didn’t deleted
anything.

Panda: first scan: 19 infected files and 3 suspicious files
after removing some files I scanned again: 18 infected files and 3 suspicious files =S.
This had a log too, I don’t know if you want to see it.

McAfee: 2 infected , both are AdClicker_O.d\dr

Hi Eddy :slight_smile:

I fixed the files with HiJack.

And yeah, I saw those lines with O4, I think it’s because I have a lot of stuff on my desktop and I hate that. I don’t know how to remove it from my desktop :-\ . I think all that automatically runs when I reboot.

I have 23 desktop icons :S… The most are offcourse those programs I download. But i don’t think they all run.
I know that Shareaza, Trojan Hunter and MSN (offline) comes on. But I don’t know about the rest =/.

Sorry for being so annoying with my Hijacklogfiles =S.
But after I deleted some files that Panda-scanner found ,I did a second scan: 18 infected files and 3 suspicious files =/

Well this is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 20:23:36, on 15/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HILOA\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ixcerboqwixly.com/5qG9/HO_zzdhnxLHDJL6owvtJBTTIWqNFPmuOwKWQKaCuV6_oFTDtcoLpTlVgdR3.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [$EnterNet] C:\PROGRA~1\NTS\WANADO~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Trust Flaw Sect Data] C:\WINDOWS\Application Data\creativesettingstrustflaw\Kind Delete.exe
O4 - HKLM..\Run: [THGuard] “C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE”
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] D:\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU..\Run: [Shareaza] “F:\SHAREAZA\SHAREAZA.EXE” -tray
O4 - HKCU..\Run: [TypingSatellite] “C:\PROGRAM FILES\TYPINGMASTER\KBOOST.EXE”
O4 - HKCU..\Run: [Deafweb] C:\WINDOWS\APPLIC~1\LONGOO~1\bin drv frag.exe
O4 - HKCU..\Run: [Pop up Blocker] “C:\PROGRAM FILES\POP UP BLOCKER\PD.EXE” Minimize
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: PD - {941801A0-F3E2-11D9-8D2E-00E0ED065C1D} - C:\PROGRAM FILES\POP UP BLOCKER\PD.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4534/mcfscan.cab

Well it looks OK. But still those warnings about no active anti-virus or firewall.

You could always install avast! of course. :wink:

Zone Alarm, Kerio and Sygate are all good free firewalls. You really need to install one now.

Sorry, but it doesn’t look ok.
Jsut a very quick look and I already saw:
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL

and a lot of things are loading that are not needed to load at boottime

Eddy, if you look at my previous posts, you’ll see those entries are actually OK.

The hosts entry is put there by TDS-3 and the BHO is a MSN component.

dcsresearch is not a trusted site, it is a advertising site.

and there are still a lot of things unnesessary loading at boottime.

Eddy mate, try pasting 64.91.255.87 into your address bar and see where you go.

So there is nothing wrong with that TDS site?

And what should I do about all the stuff that is loading at boottime ? ???

I installed Avast :wink: and I have Zone Alarm now.

But…U guys didn’t tell me I had a LOP infection…but that’s okey…other forums helped me with that :slight_smile: .
I’m just not sure if everything is OK with my computer.

How does it look now? :

Logfile of HijackThis v1.99.1
Scan saved at 21:00:05, on 19/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
F:\SHAREAZA\SHAREAZA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HILOA\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\NL\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [$EnterNet] C:\PROGRA~1\NTS\WANADO~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [THGuard] “C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE”
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] D:\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU..\Run: [Shareaza] “F:\SHAREAZA\SHAREAZA.EXE” -tray
O4 - HKCU..\Run: [TypingSatellite] “C:\PROGRAM FILES\TYPINGMASTER\KBOOST.EXE”
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4534/mcfscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab