about:blank blues

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Junkadelphia, Jun 5, 2004.

  1. Junkadelphia

    Junkadelphia Private E-2

    A thread started on 5/16/04 by Robcap spoke about a browser hijacker that changes homepages to say "about:blank". I'm having the same problem.

    I followed the advice in that tread, posted by Nonsuch, and downloaded dllfix.exe -- found at http://tools.zerosrealm.com/dllfix.exe. Below is the log that dllfix produced for me.

    I need help figuring out what to do with this log.

    Unfortunately, I ran Hijackthis and CWShredder before I found this thread, trying to get rid of this bug. I now see from Nonsuch's post that these programs can prompt the bug to morph and hide in the system, returning with each reboot.

    Any help would be greatly appreciated.

    Here is the dllfix log:

    System Info:

    Microsoft Windows XP [Version 5.1.2600]

    C: "" (F86F:EB9D) - FS:NTFS clusters:4k

    Total: 60 019 351 552 [56G] - Free: 27 520 352 256 [26G]





    *IE version and Service packs:

    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

    *Notepad version :

    ? C:\WINDOWS\system32\notepad.exe

    5.1.2600.0 C:\WINDOWS\notepad.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    MinorVersion REG_SZ ;SP1;Q822925;Q330994;Q828750;Q824145;





    Locked or 'Suspect' file(s) found...

    \\?\C:\WINDOWS\System32\RESODG.DLL +++ File read error

    \\?\C:\WINDOWS\System32\RESODG.DLL +++ File read error





    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    "AppInit_DLLs"=""

    "DeviceNotSelectedTimeout"="15"

    "GDIProcessHandleQuota"=dword:00002710

    "Spooler"="yes"

    "swapdisk"=""

    "TransmissionRetryTimeout"="90"

    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3C81CDA-0BBC-47BB-AEDE-3CACB4E6C85F}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

    @="AP Class Install Handler filter"

    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

    @="AP Deflate Encoding/Decoding Filter "

    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

    @="AP GZIP Encoding/Decoding Filter "

    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

    @="AP lzdhtml encoding/decoding Filter"

    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

    "CLSID"="{61D8C364-4EE7-48C1-BAA8-94CCC814800F}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

    "CLSID"="{61D8C364-4EE7-48C1-BAA8-94CCC814800F}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

    @="WebView MIME Filter"

    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"



    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:



    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)

    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

    (ID-NI) ALLOW Read BUILTIN\Users

    (ID-IO) ALLOW Read BUILTIN\Users

    (ID-NI) ALLOW Full access BUILTIN\Administrators

    (ID-IO) ALLOW Full access BUILTIN\Administrators

    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

    Read BUILTIN\Users

    Full access BUILTIN\Administrators

    Full access NT AUTHORITY\SYSTEM
     
    Junkadelphia, Jun 5, 2004
    #1
  2. Adrynalyne

    Adrynalyne Guest

    Install Ad Aware, and update it to the latest version.
    Then run it.
    Then use Hijack This and post your log.
     
    Adrynalyne, Jun 5, 2004
    #2
  3. alanc

    alanc MajorGeek

    The recent update to Adaware and the latest version of CWShredder (1.58) both have added about:blank to their removal lists, so in addition to Adryn's advice try the latest CWShredder.
     
    alanc, Jun 5, 2004
    #3
  4. Junkadelphia

    Junkadelphia Private E-2

    Adrynalyne & Alanc,
    Thanks for the help. I followed your advice with the new version of Ad-Aware and CWShredder.
    Also ran a Hijackthis scan. I think all this worked.
    Here's the Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:19:00 PM, on 6/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.9495486111
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Junkadelphia, Jun 5, 2004
    #4
  5. Adrynalyne

    Adrynalyne Guest

    If it works now, thats great.

    As for your log, i would still remove:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    Do you know why you are using proxy settings?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
     
    Adrynalyne, Jun 5, 2004
    #5
  6. Junkadelphia

    Junkadelphia Private E-2

    Adrynalyne,
    So far, so good. Thanks again.
    I'll remove those.
    And, honestly, I don't know what proxy settings are.
    Suggestions?
     
    Junkadelphia, Jun 5, 2004
    #6
  7. Junkadelphia

    Junkadelphia Private E-2

    Note: This is cross posted from the thread:
    http://www.majorgeeks.com/vb/showthread.php?p=365191#post365191

    I am having the same problem as Eric. I have followed the advice of posters in other threads on the dreaded "about:blank" problem. I have managed to rid my computer of this thing, sometimes for a few days. But it always returns.

    By way of background -- I am running Windows XP Home Edition 2002. I have downloaded and/or updated the latest copies of CW Shredder, AdAware and Spybot. I have also deleted these files several tims using HijackThis. [Previously, I posted the log in another thread.]

    I have done this with system restore turned off. And it keeps coming back. CW Shredder sometimes notices about:blank and sometimes does not. AdAware and Spybot find it every time and I delete. And still this thing returns.

    I would any help and advice.
     
    Junkadelphia, Jun 11, 2004
    #7
  8. Eric

    Eric Private E-2

    I am convinced this is not fixable. I have again taken peoples advice on here and cannot get it to leave my computer. Hopefully somebody figures it out and posts the correct way to get rid of it.
     
    Eric, Jun 11, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay Junk (and Eric if you are listening) are you ready to try something different. I posted this in your thread too Eric. This maybe the only way to fix this. NonSuch was working on using this method in another thread to cure this pain in the ass about:blank problem. I know you began your thread with this Junk. I guess it is time we gave it a try (I know you already have dllfix.exe downloaded and have already ran it, I did see C:\WINDOWS\System32\RESODG.DLL +++ File read error, so ). So do the following:

    1) run start.bat again and select 2. Run Fix
    2) select 2. Run Fix without Dll Name It will be searched for Later

    It will start the fix and search for it own its own. It will complete the rest automatically.
    On windows Xp it will reboot in 15 seconds. On Windows 2000 it will ask you to reboot.
    Please do so immediatly when asked. It will rerun on bootup. After its completed on bootup it will show a log of what it found.

    At this point run full scans with Ad-aware and and SpyBot S&D and allow them to remove what they find. Now reboot again and run CWShredder and allow it to fix anything it finds. If you do not have these programs on your PC yet get them from here: http://www.majorgeeks.com/downloads31.html before beginning this process and have them installed, UPDATED (very important), and ready to go.
    Oh yeah, also download HijaakThis. And run it after CWShredder and post HijaakThis's log.
     
    chaslang, Jun 12, 2004
    #9
  10. Junkadelphia

    Junkadelphia Private E-2

    Chaslang,

    I've been fighting about:blank so long that it worries me a little to say this -- but I think I've got it fixed. It was indeed C:\WINDOWS\System32\RESODG.DLL that kept repopulating it, no matter how many spyware programs I used to track and clean the problem.

    I followed some advice I found on another web site -- http://www.help2go.com/postt7601.html -- and that helped me delete it.

    I'll say it again -- I really appreciate the help you and others on this and other web sites provide. Just to be safe, I'm posting a hijackthis log below for your perusal.

    Junk

    Logfile of HijackThis v1.97.7
    Scan saved at 1:24:20 PM, on 6/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\documents and settings\chris brennan\local settings\temp\GoV.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Chris Brennan\My Documents\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.philly.com/mld/philly
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [GoV] C:\documents and settings\chris brennan\local settings\temp\GoV.exe
    O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.9495486111
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Junkadelphia, Jun 12, 2004
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds