Hi all, Yesterday I foolishly clicked on "New Folder" icon on a network drive. I thought it was a directory, but it actually was an executable file. When I checked on the properties of the file the description was "uslottery". Since the incident my browser's home page has been changed to "http://uklottery.us" which eventually redirects to "http://72.232.123.170/~funstuff/dasdmas,dasd/iloveyou.php". The button to change the home page has been grayed out (disabled). The "Run" item in the start menu has been removed. Task manager has been disabled too. In file explorer hidden directories can no longer be seen and the option to see hidden directories has been disabled. I am using Symantec AntiVirus which detects a trojan called "Downloader". Tried cleaning it in safe mode but no go. Can anyone help with this problem please? HJT log below: Logfile of HijackThis v1.99.1 Scan saved at 9:44:36 AM, on 11/01/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe C:\WINNT\system32\svchost.exe C:\Program Files\Sygate\SSA\smc.exe C:\WINNT\system32\VRCCfgService.exe C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\ESOE\ELogSrv.exe C:\Program Files\ESOE\ESrv.exe C:\WINNT\system32\hidserv.exe c:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe C:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe C:\PROGRA~1\NETMAN~1\APPS\NFS\wlpd.exe C:\Program Files\MG-SOFT\MIB Browser\Bin\MgWTrap3.exe C:\WINNT\system32\PROT_SRV.EXE C:\WINNT\system32\pagents.exe C:\WINNT\system32\PSTARTSR.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINNT\system32\regsvc.exe c:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINNT\System32\SCardSvr.exe C:\WINNT\system32\MSTask.exe c:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe C:\WINNT\system32\FLRSERV.EXE C:\WINNT\System32\snmp.exe c:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\system32\svchost.exe C:\Program Files\ESOE\EDMS\ECIS.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\snmptrap.exe C:\WINNT\system32\svchost.exe C:\WINNT\explorer.exe C:\WINNT\lsasss.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\igfxtray.exe C:\WINNT\system32\hkcmd.exe C:\WINNT\system32\igfxpers.exe C:\WINNT\AGRSMMSG.exe C:\WINNT\system32\igfxsrvc.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe C:\WINNT\system32\igfxext.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\HPQ\Shared\HpqToaster.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe C:\Program Files\ESOE\ECC.exe C:\Program Files\ESOE\EDMS\ECP.exe C:\Program Files\Lotus\Sametime Client\sametime.exe C:\Program Files\Lotus\Sametime Client\jre\bin\sametime75.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\ESOE\ELaunch.exe c:\Program Files\Hewlett-Packard\eWorkplace\eWLaunch.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uklotttery.us/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://i-pac.ao.Company.se/proxy.pac R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = brproxy2.epa.Company.se:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://153.88.196.60;*.Company.se;*.erisoft.se;internal.Company.com;<local> F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system\lsasss.exe F2 - REG:system.ini: UserInit=userinit.exe,C:\WINNT\system\lsasss.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe O4 - HKLM\..\Run: [NetManageImport] "C:\PROGRA~1\NETMAN~1\setup\nmcpdata.exe" I O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 C:\Progra~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\progra~1\NETMAN~1\common\nmconfig.dll,StoreCleanup O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe O4 - Global Startup: Check for Pal Update.lnk = C:\Program Files\RDC\Dial-up Client\PALUpdate.exe O4 - Global Startup: CiscoStartupCheck.lnk = C:\WINNT\Driver Cache\i386\net\CiscoMsgBox.exe O4 - Global Startup: Company Corporate Templates .lnk = C:\Program Files\Microsoft Office\Templates\1033\Company Corporate Templates\eCorpTemplates2003.exe O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe O4 - Global Startup: IntelWireless.exe.lnk = C:\Program Files\WLAN_Install\IntelWireless.exe O4 - Global Startup: MSconfigg.exe O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe O4 - Global Startup: Sametime Client 7.5.lnk = C:\Program Files\Lotus\Sametime Client\sametime.exe O4 - Global Startup: UCF Check.lnk = C:\Program Files\UCF\UCF-5.3.0.5.exe O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe O4 - Global Startup: VN User Update.lnk = C:\Documents and Settings\xhpshal\Application Data\NetManage\Data\VN User Update.exe O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab O16 - DPF: {1BD86198-EEBA-42AF-B89B-4050DEB5C47A} - http://eaubrnt061.epa.Company.se/ecc_install/default.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://accessete.au.ao.Company.se/dana-cached/setup/JuniperSetupSP1.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eapac.Company.se O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eapac.Company.se O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eapac.Company.se O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: mdc - C:\WINNT\SYSTEM32\SsoWindows.dll O20 - Winlogon Notify: NavLogon - c:\WINNT\system32\NavLogon.dll O20 - Winlogon Notify: WinEvents - C:\WINNT\SYSTEM32\WinEvents.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Secure Services Client - Cisco Systems - C:\Program Files\Cisco Systems\Cisco Secure Services Client\ConnectionClient.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINNT\System32\idr3hlpr.exe O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - c:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe O23 - Service: NetManage LPD Service (LPD Server) - NetManage, Inc. - C:\PROGRA~1\NETMAN~1\APPS\NFS\wlpd.exe O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe O23 - Service: MG-SOFT SNMP Trap Service - MG-SOFT Corporation, Strma ulica 8, SI-2000 Maribor, Slovenia. Internet: http://www.mg-soft.com/ E-mail: <info@mg-soft.com> - C:\Program Files\MG-SOFT\MIB Browser\Bin\MgWTrap3.exe O23 - Service: NetManage FTP Server - NetManage, Inc. - C:\Program Files\NETMAN~1\apps\ftpd\ftpd.exe O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SAPSprint - SAP AG, Walldorf - C:\Program Files\SAP\SAPSprint\sapsprint.exe O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - c:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINNT\system32\FLRSERV.EXE O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: Company Access Client Configuration Support (VRCCfgService) - Company Enterprise AB - C:\WINNT\system32\VRCCfgService.exe O23 - Service: Company Access Client (VRCService) - Company Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
Hi snoop75, your log shows a few infections. One of which is known as the Sasser worm. We need to get rid of it first. Go here and follow the removal instructions for "Windows disinfector". After you have done that, run a new scan with HijackThis and please post the log.
Hi Niobis, Unfortunately I tried fixing it myself before you responded and ended up killing my laptop. I used the "Combo Fix" tool, which fixed the uslottery malware, but it somehow disabled my network interface. After a few reboots trying to fix the network interface I couldn't even boot my machine any more. So the IT guys had to re-image it. Thanks for the response and all the help you guys provide on this site. Cheers!!!
I'm sorry to hear that. I assumed you would have some network trouble after removing the malware because of those 017 entires, but there are ways to remove them without those problems. I was going to take the cautious approach, but I was too late. Again, sorry for your loss. Good luck in the future, and try to stay clear of those unidentifiable links.
hi there,i have the same problem with the uslottery folder wich has spreaded in both of my partitions,i tried scanning my PC with HiJackThis but it wouldn`t work,it suddenly closes without showing me any results or something like that...Please Help! thanks in advance!
sorry for the double-posting but i managed to scan and save a logfile Logfile of HijackThis v1.99.1 Scan saved at 16:41:24, on 08.04.2008 Platform: Windows XP SP3, v.3300 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3300) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\lsasss.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Logitech\Gaming Software\LWEMon.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\PowerISO\PWRISOVM.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Avant Browser\avant.exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\UIMHC1CZ\HijackThis_v1.99.1[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uklotttery.us/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system\lsasss.exe F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\lsasss.exe O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing) O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL O4 - HKLM\..\Run: [StarSkin] C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: MSconfigg.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1616FF8C-1FF5-4DEA-92C3-F898F51F98BB}: NameServer = 193.231.238.2 193.231.238.1 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
