Here's the info requested by
Ramesh - Microsoft MVP
in the following message:
This problem is due to a spyware which we have been seeing lately.
To identify the malware product causing the problem:
First, download MVP Doug's Windows XP Startup Programs Tracker and post the
LOG file here:
http://www.dougknox.com/xp/utils/xp_starttrack.htm
and download Hijackthis from the following site and post the results to
newsgroup or send a mail to me. (remove the text "REMOV_NOSPAM" in the email
address)
HijackThis:
http://www.spywareinfo.com/~merijn/
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k
Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com
~ Please reply to newsgroup ~
Gary Roach said:
i've got a computer running xp home and when i double-click on "my computer"
it brings up the message:
Error
This module was compiled with a trial version of Delphi. The trial version
has expired.
this also happens when i try to any other explorer window. also, when i try
to run internet explorer, a process appears in on the processes tab of the
task manager, but no explorer window opens up. or any idea what it is? any
help is greatly appreciated
gary
---------------------------------- results of
StartupTracker3.exe -----------------------
11/28/2003 11:15:13 AM
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
No Items Found
-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
Motive SmartBridge C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
Share-to-Web Namespace Daemon C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnd.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
ClrSchLoader C:\Program Files\ClearSearch\Loader.exe
New.net Startup rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
CMESys "C:\Program Files\Common
Files\CMEII\CMESys.exe"
SAHAgent C:\WINDOWS\System32\SahAgent.exe
POP C:\Program Files\POP\PopSrv205.exe
ToPicks Starter C:\Program Files\ToPicks\Bin\Idhost.exe
DownloadWare "C:\Program Files\DownloadWare\dw.exe" /H
IEDriver C:\WINDOWS\System32\IEDriver\IEDriver.exe
SearchEnhancement "C:\Program Files\scbar\v2\scbar.exe" /U
AutoUpdater C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
RVP "C:\Program Files\RVP\bpc.exe"
webHancer Agent "C:\Program
Files\webHancer\Programs\whAgent.exe"
webHancer Survey Companion "C:\Program
Files\webHancer\Programs\whSurvey.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
No Items Found
-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE"
/background
-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
No Items Found
-- Start Menu - Current User --
No Items Found
-- Start Menu - All Users --
NetAssistant.lnk
Microsoft Office.lnk
Event Planner Reminders Tray Icon.lnk
Kodak EasyShare software.lnk
KODAK Software Updater.lnk
PrecisionTime.lnk
Date Manager.lnk
GStartup.lnk
-- Disabled Items --
No Items Found
-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon --
Explorer.exe
-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k rpcss
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
SOUNDMAN.EXE "C:\WINDOWS\SOUNDMAN.EXE"
MotiveSB.exe "C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe"
hpgs2wnd.exe "C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnd.exe"
hpgs2wnf.exe "C:\Program Files\Hewlett-Packard\HP
Share-to-Web\hpgs2wnf.exe" -Embedding
Loader.exe "C:\Program Files\ClearSearch\Loader.exe"
RUNDLL32.EXE "C:\WINDOWS\System32\rundll32.exe"
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
CMESys.exe "C:\Program Files\Common Files\CMEII\CMESys.exe"
SahAgent.exe "C:\WINDOWS\System32\SahAgent.exe"
PopSrv205.exe "C:\Program Files\POP\PopSrv205.exe"
Idhost.exe "C:\Program Files\ToPicks\Bin\Idhost.exe"
dw.exe "C:\Program Files\DownloadWare\dw.exe" /H
IEDriver.exe "C:\WINDOWS\System32\IEDriver\IEDriver.exe "
AUTOUP~1.EXE "C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE"
bpc.exe "C:\Program Files\RVP\bpc.exe"
sysmono.exe "C:\Program Files\POP\sysmono.exe" -Embedding
whAgent.exe "C:\Program Files\webHancer\Programs\whAgent.exe"
whSurvey.exe "C:\Program Files\webHancer\Programs\whSurvey.exe"
msmsgs.exe "C:\Program Files\Messenger\MSMSGS.EXE" /background
PLNRnote.exe "C:\Sierra\Planner\PLNRnote.exe"
EasyShare.exe "C:\Program Files\KODAK\Kodak EasyShare
software\bin\EasyShare.exe" -h
backWeb-7288971.exe "C:\Program Files\KODAK\KODAK Software
Updater\7288971\Program\backWeb-7288971.exe"
PrecisionTime.exe "C:\Program Files\PrecisionTime\PrecisionTime.exe"
DateManager.exe "C:\Program Files\Date Manager\DateManager.exe"
mpbtn.exe "C:\Program Files\NetAssistant\bin\mpbtn.exe"
GMT.exe "C:\Program Files\Common Files\GMT\GMT.exe" /startup
cmd.exe "C:\WINDOWS\System32\cmd.exe"
avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
KodakCCS.exe C:\WINDOWS\system32\drivers\KodakCCS.exe
ScsiAccess.EXE C:\WINDOWS\System32\ScsiAccess.EXE
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
hthost.exe C:\PROGRA~1\Topicks\Bin\hthost.exe -Embedding
STARTUPTRACKER3.EXE d:\StartupTracker3
Explorer.EXE C:\WINDOWS\explorer.exe
wmiprvse.exe
-- Running Services --
Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this
service is stopped, audio devices and effects will not function properly. If
this service is disabled, any services that explicitly depend on it will
fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Avg7Alrt
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Name: Avg7UpdSvc
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
Name: Browser
Description: Maintains an updated list of computers on the network and
supplies this list to computers designated as browsers. If this service is
stopped, this list will not be updated or maintained. If this service is
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: CryptSvc
Description: Provides three management services: Catalog Database Service,
which confirms the signatures of Windows files; Protected Root Service,
which adds and removes Trusted Root Certification Authority certificates
from this computer; and Key Service, which helps enroll this computer for
certificates. If this service is stopped, these management services will not
function properly. If this service is disabled, any services that explicitly
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
Name: Dhcp
Description: Manages network configuration by registering and updating IP
addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this
computer. If this service is stopped, this computer will not be able to
resolve DNS names and locate Active Directory domain controllers. If this
service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService
Name: ERSvc
Description: Allows error reporting for services and applictions running in
non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and
components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe
Name: EventSystem
Description: Supports System Event Notification Service (SENS), which
provides automatic distribution of events to subscribing Component Object
Model (COM) components. If the service is stopped, SENS will close and will
not be able to provide logon and logoff notifications. If this service is
disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in
a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If
this service is stopped, Help and Support Center will be unavailable. If
this service is disabled, any services that explicitly depend on it will
fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: KodakCCS
Description: This provides the best connection from Kodak digital cameras to
your computer. It can communicate directly with Kodak EasyShare software.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\drivers\KodakCCS.exe
Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network
for this computer. If this service is stopped, these functions will be
unavailable. If this service is disabled, any services that explicitly
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: lanmanworkstation
Description: Creates and maintains client network connections to remote
servers. If this service is stopped, these connections will be unavailable.
If this service is disabled, any services that explicitly depend on it will
fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and
NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
Name: Messenger
Description: Transmits net send and Alerter service messages between clients
and servers. This service is not related to Windows Messenger. If this
service is stopped, Alerter messages will not be transmitted. If this
service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder,
in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Nla
Description: Collects and stores network configuration and location
information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes
with little or no user input. Stopping or disabling this service will result
in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe
Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private
keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe
Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC
services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss
Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe
Name: Schedule
Description: Enables a user to configure and schedule automated tasks on
this computer. If this service is stopped, these tasks will not be run at
their scheduled times. If this service is disabled, any services that
explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvc
Name: ScsiAccess
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\ScsiAccess.EXE
Name: seclogon
Description: Enables starting processes under alternate credentials. If this
service is stopped, this type of logon access will be unavailable. If this
service is disabled, any services that explicitly depend on it will fail to
start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: SENS
Description: Tracks system events such as Windows logon, network, and power
events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
Name: ShellHWDetection
Description: Provides notifications for AutoPlay hardware events.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe
Name: srservice
Description: Performs system restore functions. To stop service, turn off
System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc
Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control
telephony devices and IP based voice connections on the local computer and,
through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: TermService
Description: Allows multiple users to be connected interactively to a
machine as well as the display of desktops and applications to remote
computers. The underpinning of Remote Desktop (including RD for
Administrators), Fast User Switching, Remote Assistance, and Terminal
Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: TrkWks
Description: Maintains links between NTFS files within a computer or across
computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
Name: W32Time
Description: Maintains date and time synchronization on all clients and
servers in the network. If this service is stopped, date and time
synchronization will be unavailable. If this service is disabled, any
services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
Name: WebClient
Description: Enables Windows-based programs to create, access, and modify
Internet-based files. If this service is stopped, these functions will not
be available. If this service is disabled, any services that explicitly
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService
Name: winmgmt
Description: Provides a common interface and object model to access
management information about operating system, devices, applications and
services. If this service is stopped, most Windows-based software will not
function properly. If this service is disabled, any services that explicitly
depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
Name: wuauserv
Description: Enables the download and installation of critical Windows
updates. If the service is disabled, the operating system can be manually
updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs
Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs
----------------------------- results of
HijackThis.exe --------------------------
Logfile of HijackThis v1.97.7
Scan saved at 11:20:57 AM, on 11/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\SahAgent.exe
C:\Program Files\POP\PopSrv205.exe
C:\Program Files\ToPicks\Bin\Idhost.exe
C:\Program Files\DownloadWare\dw.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
C:\Program Files\RVP\bpc.exe
C:\Program Files\POP\sysmono.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software
Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Date Manager\DateManager.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\WINDOWS\System32\cmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Topicks\Bin\hthost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\notepad.exe
d:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R3 - URLSearchHook: WebSearch Class -
{9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll
O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - C:\Program
Files\Topicks\Bin\HtCheck2.dll
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70A - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program
Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program
Files\POP\pop205.dll
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F05} - C:\Program
Files\Flt\Flt.dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} -
C:\Program Files\Support Software\SS2.DLL
O2 - BHO: (no name) - {947E6D5A-4B9F-4CF4-91B3-562CA8D0 - (no file)
O2 - BHO: (no name) - {947E6D5A-4B9F-4CF4-91B3-562CA8D03 - (no file)
O2 - BHO: (no name) - {947E6D5A-4B9F-4CF4-91B3-562CA8D033 - (no file)
O2 - BHO: (no name) - {947E6D5A-4B9F-4CF4-91B3-562CA8D0331 - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program
Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08487 - (no file)
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program
Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D70 - (no file)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702 - (no file)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702D - (no file)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DC - (no file)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC - (no file)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC7 - (no file)
O2 - BHO: (no name) - {FAC6E0E1-5D45-4907-BC00-302D702DCC73} -
C:\WINDOWS\system32\cpr.dll
O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\Program
Files\POP\pop205.dll
O3 - Toolbar: Topicks Categories - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} -
C:\Program Files\Topicks\Bin\TpBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} -
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
O4 - HKLM\..\Run: [ToPicks Starter] C:\Program Files\ToPicks\Bin\Idhost.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v2\scbar.exe"
/U
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program
Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE"
/background
O4 - Global Startup: NetAssistant.lnk = C:\Program
Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk =
C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program
Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date
Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common
Files\GMT\GMT.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.3008564815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{86964C7D-E791-4DDB-BB18-D856C326DDF2}:
NameServer = 206.47.244.101 198.235.216.114
)