HEY SWATCAT...HELP ME OUT WITH THIS!!

bharathbala2003 · Apr 21, 2005

For details of smss visit
*securityresponse.symantec.com/avcenter/venc/data/w32.dalbug.worm.html

for dllhost
*www.auditmypc.com/free-spyware-removal.asp

for notepad
*www.pchell.com/virus/qaz.shtml

khattam_ · Apr 21, 2005

I have KAV with latest (extended) updates and does not detect it as a virus............... Anything I need to worry 'bput..................

swatkat · Apr 21, 2005

khattam_ said:
----------------------start-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:21:04 AM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Serials 2000 7.1 Plus\serial2k.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\SpeederXP\SpeederXP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = _khAttAm_
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpeederXP.lnk = C:\Program Files\SpeederXP\SpeederXP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Systweak India - C:\Program Files\CacheBoost\cbsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-------------------End of log-------------------------------

Please help..............

Nothing much wrong in the log, except the Serial2K, what is that software?
Others are legit Windows files.
I suggest you to unisntall that software and then delete the folder.
Also, that Xerox folder comes with Windows XP, and you can not see the files because it's OS protected files.

theraven · Apr 21, 2005

well its kind of a third party software for .. umm illegal stuff if ya know what i mean
but its safe

swatkat · Apr 22, 2005

Before you do this, backup the Registry, as described here

BOOT IN SAFE MODE

Go to Start> Run and type regedit and press ENTER.
Then navigate to this key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] and click on it to select it. Then it will disply some VALUES in the right side pane.
There, delete these values, by right clicking them and choosing "Delete":-
"Search Page"="about:blank"
"Start Page"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"HOMEOldSP"="about:blank"
"Use Search Asst"="no"
"Use Custom Search URL"=dword:00000001

localrun----------------------------------------------------------------------------------
Navigate to this key, [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] and click it to select it. Then it will display some values on the Right side pane.
Among them, right-click on these and click "Delete":-
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

usermain------------------------------------------------------------------------------------
Similarly navigate here,[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] and click it.
Then delete the below value.
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

Delete SE.DLL file and run CCLeaner.
Then reboot to Normal Mode. Post a FRESH HijackThis log.

bharathbala2003 · Apr 22, 2005

well swat am not too gud

but then can u explain if the below one is needed?

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

sahil_blues · Apr 22, 2005

hey swatkat...i dont hav a windows xp installation cd...i hav an hp pavilion pc...they gave me 6 backup cds having all the factory shipped softwares including windows....there is no specific windows installation cd...i checked each of them but couldnt find the folder (for installing backup feature)given in the link you provided....am i screwed now??

swatkat · Apr 22, 2005

Ok, no need of it. Do this instead of the steps provided in that link.
Go to Start> Run and type regedit and press ENTER.
The go to Registry Menu, and then select the Export Range as All and type a file name as RegBakup and press Ok.

After this, boot in safe mode and then perform the steps provided in my previous post.

sahil_blues · Apr 22, 2005

swatkat said:
Ok, no need of it. Do this instead of the steps provided in that link.
Go to Start> Run and type regedit and press ENTER.
The go to Registry Menu, and then select the Export Range as All and type a file name as RegBakup and press Ok.

After this, boot in safe mode and then perform the steps provided in my previous post.

iam sorry but i cant find any "registry menu" or "export range"....will clicking on the "my computer", which expands to give all the "hkey" stuff , and exporting it in the name regbackup do the trick??

sreevirus · Apr 22, 2005

bharathbala2003 said:
khattam_ said:

Plus, I have the your favourite HijackThis Log file. Here it goes:

----------------------start-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:21:04 AM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CacheBoost\cbsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CacheBoost\trayicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Serials 2000 7.1 Plus\serial2k.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\SpeederXP\SpeederXP.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = _khAttAm_
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [CacheBoost] C:\Program Files\CacheBoost\trayicon.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpeederXP.lnk = C:\Program Files\SpeederXP\SpeederXP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Systweak India - C:\Program Files\CacheBoost\cbsrv.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-------------------End of log-------------------------------

Please help..............

Click to expand...

fix the entries in red in safe mode and do a scan with CCleaner

[link provided by swatkat]

WHOA....hold ur horses men

yo bharathbala...
smss.exe is a totally safe and REQUIRED SYSTEM process.

smss - smss.exe - Process Information

Process File: smss or smss.exe
Process Name: Session Manager Subsystem

Description:
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated. Note: smss.exe is also a process which is registered as the Win32.Ladex.a Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System

System Process: Yes
Background Process: Yes
Uses Network: No
Hardware Related: No
Common Errors: N/A

Security Risk (0-5): 0

source: *www.liutilities.com/products/wintaskspro/processlibrary/smss/

no offence bharathbala, but did u read the symantec page completely? it was mentioned in that page that the rogue smss.exe will reside as %windir%\smss.exe - i.e. in the windows directory, not in the system32 directory.

furthermore, dllhost.exe is also not any bad process. its also important

dllhost - dllhost.exe - Process Information

Process File: dllhost or dllhost.exe
Process Name: Microsoft DCOM DLL Host Process

Description:
dllhost.exe is a part of the Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This program is important for the stable and secure running of your computer and should not be terminated.

Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System

System Process: Yes
Background Process: Yes
Uses Network: No
Hardware Related: No
Common Errors: N/A

Security Risk (0-5): 0

source: *www.liutilities.com/products/wintaskspro/processlibrary/dllhost/

going further, i dont see the reason as to why u shud advice that notepad.exe should be terminated. the notepad.exe u highlighted is a valid process because it is in the system32 directory. most probably, it was running because HJT wud've opened it to show the log file. before u had asked him to fix the process, u should have asked him to check for symptoms shown on that webpage u posted.

and finally, just for information, ctfmon.exe, although not an essential process, its not a malware.

ctfmon - ctfmon.exe - Process Information

Process File: ctfmon or ctfmon.exe
Process Name: Alternative User Input Services

Description:
ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Author: Microsoft Corp.
Part Of: Microsoft Office Suite

System Process: Yes
Background Process: Yes
Uses Network: No
Hardware Related: No
Common Errors: N/A

Security Risk (0-5): 0

source: *www.liutilities.com/products/wintaskspro/processlibrary/ctfmon/

cmon dude, u should atleast research a bit before u post, or u'll end up messing up a normal system

i wonder how no1 else noticed this.

swatkat · Apr 22, 2005

@saahil, oops..

it is File menu in the Registry Editor. Open regedit and go to File Menu and click "Export" and choose "Export Range" as "All" and give a file name and save it.

After this, boot in safe mode and delete the entries which are indicated in my post above

sahil_blues · Apr 23, 2005

swatkat said:
Before you do this, backup the Registry, as described here

BOOT IN SAFE MODE

Go to Start> Run and type regedit and press ENTER.
Then navigate to this key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main] and click on it to select it. Then it will disply some VALUES in the right side pane.
There, delete these values, by right clicking them and choosing "Delete":-
"Search Page"="about:blank"
"Start Page"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"HOMEOldSP"="about:blank"
"Use Search Asst"="no"
"Use Custom Search URL"=dword:00000001

localrun----------------------------------------------------------------------------------
Navigate to this key, [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] and click it to select it. Then it will display some values on the Right side pane.
Among them, right-click on these and click "Delete":-
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

usermain------------------------------------------------------------------------------------
Similarly navigate here,[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] and click it.
Then delete the below value.
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

Delete SE.DLL file and run CCLeaner.
Then reboot to Normal Mode. Post a FRESH HijackThis log.

I think something went wrong here...u posted the same key name twice and you didnt mention about internet explorer main in user key which also has values like

"Start Page"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"

any ways i did what you wrote....but the popups keep coming and the file se.dll is not getting deleted (says its in use)....wizardo i know you can get me out of this!!

swatkat · Apr 23, 2005

hi, you have not posted all of the reg entries i asked.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ and select this branch by clicking on it. Then go to File Menu and click Export. Then type a filename as LocalRun and then click Save.

Similarly, navigate to this key, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ and export it too with a file name UserRun.

Similarly, navigate to this key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main and click it and export it with a filename UserMain.

Navigate to this key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main and export it with file name LocalMain.

You posted Run entries two times instead of the Internet Explorer Main entries. Post back all the four entries.

Along with that navigate to these keys also HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html and click it to select and then export it as a file named RootText.

Then navigate to this key
HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain and export it under the name RootHtml.
Then open those fies in NotePad and post it here. Post ALL of them!

sahil_blues · Apr 23, 2005

sorry my mistake....i am posting the entries again....pls note that i had made changes in some of them....

localmain-----------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="*www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Default_Search_URL"="*www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Enable_Disk_Cache"="yes"
"Cache_Percent_of_Disk"=hex:0a,00,00,00
"Delete_Temp_Files_On_Exit"="yes"
"Local Page"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
62,00,6c,00,61,00,6e,00,6b,00,2e,00,68,00,74,00,6d,00,00,00
"Anchor_Visitation_Horizon"=hex:01,00,00,00
"Use_Async_DNS"="yes"
"Placeholder_Width"=hex:1a,00,00,00
"Placeholder_Height"=hex:1a,00,00,00
"CompanyName"="Microsoft Corporation"
"Custom_Key"="MICROSO"
"Wizard_Version"="6.00.2800.1017"
"FullScreen"="no"
"Enable Browser Extensions"="yes"
"Start Page"="about:blank"
"HOMEOldSP"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"Search Page"="about:blank"
"Use Search Asst"="no"
"Use Custom Search URL"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds]
"400"=dword:00000200
"403"=dword:00000100
"404"=dword:00000200
"405"=dword:00000100
"406"=dword:00000200
"408"=dword:00000200
"409"=dword:00000200
"410"=dword:00000100
"500"=dword:00000200
"501"=dword:00000200
"505"=dword:00000200

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION]
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\UrlTemplate]
"1"="www.%s.com"
"2"="www.%s.org"
"3"="www.%s.net"
"4"="www.%s.edu"

localrun-----------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"QuickTime Task"="\"C:\\WINDOWS\\system32\\qttask.exe\" -atboottime"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

userrun-----------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

usermain-----------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000001
"NoJITSetup"=dword:00000001
"Disable Script Debugger"="yes"
"Show_ChannelBand"="No"
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Display Inline Images"="yes"
"Do404Search"=hex:01,00,00,00
"Local Page"="C:\\WINDOWS\\System32\\blank.htm"
"Save_Session_History_On_Exit"="no"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Use_DlgBox_Colors"="yes"
"Window_Placement"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,00,83,ff,ff,00,83,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,fc,ff,ff,ff,fc,ff,ff,ff,04,04,00,00,ed,02,00,\
00
"FullScreen"="no"
"AddToFavoritesExpanded"=dword:00000000
"NotifyDownloadComplete"="no"
"Error Dlg Displayed On Every Error"="no"
"Error Dlg Details Pane Open"="no"
"Use FormSuggest"="no"
"ShowedCheckBrowser"="Yes"
"Check_Associations"="No"
"FormSuggest PW Ask"="no"
"Use Search Asst"="no"
"Toolbars_Placement"=hex:60,dd,69,42,6a,42,6e,c5,95,a7,45,b7,58,48,a0,19,ef,55,\
cd,c5
"Use Custom Search URL"=dword:00000001
"HOMEOldSP"="about:blank"
"Start Page"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"Search Page"="about:blank"

roottext---------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{3E92D9B8-8296-4F88-9581-75F7EFE38FF6}"

roothtml---------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{3E92D9B8-8296-4F88-9581-75F7EFE38FF6}"

swatkat · Apr 23, 2005

Boot in safe mode
Go to Start> Run and type regedit and press ENTER.
Navigate to this key and click on it to select/highlight it [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Then in the right side pane, right-click on the below entreis and click "Delete".
"Start Page"="about:blank"
"HOMEOldSP"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"Search Page"="about:blank"
"Use Custom Search URL"=dword:00000001

Navigate to this key and click on it to select/highlight it [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Then in the right-side pane, right-click on the below listed entry and click "Delete"
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

Navigate to this key and click on it to select/highlight it [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Then right-click on the below listed entries and click "Delete".
"Use Custom Search URL"=dword:00000001
"HOMEOldSP"="about:blank"
"Start Page"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"Search Page"="about:blank"

Then delete the file se.dll and reboot to Normal Mode.

sahil_blues · Apr 23, 2005

hey swatcat...did what you told me to....but the infected entries in the registry keep reappearing....i tried to delete se.dll in the safe mode but it said that "File Cannot Be Deleted As I Is In Use"....then i scanned the file se.dll using trojan hunter....it detected Hijacker trojan and deletd it....i also tried to remove se.dll from the startup items through msconfig but it kept reappearing again...i then restarted in normal mode to find all the entries i deleted still present, se.dll was still there in startup items and another se.dll was present in the folder where it was initially cleaned by trojan hunter....

swatkat · Apr 23, 2005

Boot in safe mode
Go to Start> Run and type regedit and press ENTER.
Navigate to this key and click on it to select/highlight it [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]

Then in the right side pane, right-click on the below entreis and click "Delete".
"Start Page"="about:blank"
"HOMEOldSP"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"Search Page"="about:blank"
"Use Custom Search URL"=dword:00000001

Navigate to this key and click on it to select/highlight it [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Then in the right-side pane, right-click on the below listed entry and click "Delete"
"sp"="rundll32 C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll,DllInstall"

Navigate to this key and click on it to select/highlight it [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Then right-click on the below listed entries and click "Delete".
"Use Custom Search URL"=dword:00000001
"HOMEOldSP"="about:blank"
"Start Page"="about:blank"
"Search Bar"="res://C:\\DOCUME~1\\Owner\\LOCALS~1\\Temp\\se.dll/spage.html"
"Search Page"="about:blank"

Then delete the file se.dll and reboot to Normal Mode.

After doing above deletions (again), go to Command Prompt mode in Safe mode only, and from here navigate to the folder where se.dll resides.
You can do this by using dir, cd and cd.. commands.
For example, if you want to go to Temp folder and you are currently in Windows Folder, you have to type,
C:\Windows\cd temp and press ENTER. To get out of a directory type cd.. and press ENTER.

Like that, go to the Folder where SE.DLL is present and type the following:-
regsvr32 /u se.dll and press ENTER. (Note that there is a SPACE after regsvr32 and before /u)

del se.dll and press ENTER.

Repeat the above two commands for both the se.dll files present in your PC.

Also, search for whether these files are present in you System:-
ieplugin.dll
systb.dll
winobject.dll
and post back.

sahil_blues · Apr 23, 2005

i removed the entries in registry...then when i ran your command "regsvrp..." ...this is what it said:-

"se.dll was loaded, but the DLLUnregisterServer entry point was not found. The file cannot be registered."

then i did del se.dll....i checked the location where se.dll was....it was no more there ...but when i ran the computer in normal mode it was there again...

also i didnt find any of the 3 files you mentioned on my pc...

swatkat · Apr 23, 2005

Ok....This one doesnt wanna go!
Download this tool. Extract the downloaded ZIP file to a folder on Desktop named SpSeHjfix.
Then close ALL the open programs, browsers, folders and then run SpSeHjfix112 and click the button "Start Disinfection".
Reboot your Syste.
It will generate a log file called SPSeHjFix.log, open it in NotePad and post it here.

Along with it, post the HijackThis log.

sahil_blues · Apr 25, 2005

sorry for the late reply...here are the logs:-

SPSeHjFix.log------------------------------------------------------------------------------------------------

(4/24/05 11:20:43 PM) SPSeHjFix started v1.1.2
(4/24/05 11:20:43 PM) OS: WinXP Service Pack 1 (5.1.2600)
(4/24/05 11:20:43 PM) Language: english
(4/24/05 11:20:43 PM) Win-Path: C:\WINDOWS
(4/24/05 11:20:43 PM) System-Path: C:\WINDOWS\System32
(4/24/05 11:20:43 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(4/24/05 11:20:45 PM) Disinfection started
(4/24/05 11:20:45 PM) Bad-Dll(IEP): c:\docume~1\owner\locals~1\temp\se.dll
(4/24/05 11:20:45 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\ooen.dll
(4/24/05 11:20:45 PM) Searchassistant Uninstaller - Keys Deleted
(4/24/05 11:20:45 PM) UBF: 10 - UBB: 1 - UBR: 16
(4/24/05 11:20:45 PM) FilterKey: HKCR\text/html (deleted)
(4/24/05 11:20:45 PM) FilterKey: HKCR\CLSID\{3E92D9B8-8296-4F88-9581-75F7EFE38FF6} (deleted)
(4/24/05 11:20:45 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/24/05 11:20:45 PM) FilterKey: HKCR\text/plain (deleted)
(4/24/05 11:20:45 PM) FilterKey: HKCR\CLSID\{3E92D9B8-8296-4F88-9581-75F7EFE38FF6} (error while deleting)
(4/24/05 11:20:45 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/24/05 11:20:45 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0A3FC712-2CF3-43EA-AB79-35AAEECA66F6} (deleted)
(4/24/05 11:20:45 PM) BHO-Key: HKCR\CLSID\{0A3FC712-2CF3-43EA-AB79-35AAEECA66F6} (deleted)
(4/24/05 11:20:45 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/24/05 11:20:45 PM) UBF: 8 - UBB: 0 - UBR: 15
(4/24/05 11:20:45 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/24/05 11:20:45 PM) Stealth-String not found
(4/24/05 11:20:45 PM) File added to delete: c:\windows\system32\ooen.dll
(4/24/05 11:20:45 PM) File added to delete: c:\docume~1\owner\locals~1\temp\se.dll
(4/24/05 11:20:45 PM) Reboot

(4/24/05 11:22:13 PM) SPSeHjFix started v1.1.2
(4/24/05 11:22:13 PM) OS: WinXP Service Pack 1 (5.1.2600)
(4/24/05 11:22:13 PM) Language: english
(4/24/05 11:22:13 PM) Win-Path: C:\WINDOWS
(4/24/05 11:22:13 PM) System-Path: C:\WINDOWS\System32
(4/24/05 11:22:13 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(4/24/05 11:22:54 PM) Disinfection started
(4/24/05 11:22:54 PM) Bad-Dll(IEP): c:\docume~1\owner\locals~1\temp\se.dll
(4/24/05 11:22:54 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\ooen.dll
(4/24/05 11:22:54 PM) Searchassistant Uninstaller - Keys Deleted
(4/24/05 11:22:54 PM) UBF: 10 - UBB: 1 - UBR: 16
(4/24/05 11:22:54 PM) FilterKey: HKCR\text/html (deleted)
(4/24/05 11:22:54 PM) FilterKey: HKCR\CLSID\{145C7543-743E-440C-A6AB-EDFD255EA04B} (deleted)
(4/24/05 11:22:54 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(4/24/05 11:22:54 PM) FilterKey: HKCR\text/plain (deleted)
(4/24/05 11:22:54 PM) FilterKey: HKCR\CLSID\{145C7543-743E-440C-A6AB-EDFD255EA04B} (error while deleting)
(4/24/05 11:22:54 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(4/24/05 11:22:54 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0AF64D8-81FD-4F6D-A847-ACF9DE9ACBD1} (deleted)
(4/24/05 11:22:54 PM) BHO-Key: HKCR\CLSID\{E0AF64D8-81FD-4F6D-A847-ACF9DE9ACBD1} (deleted)
(4/24/05 11:22:54 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/24/05 11:22:54 PM) UBF: 8 - UBB: 0 - UBR: 15
(4/24/05 11:22:54 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\owner\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/24/05 11:22:54 PM) Stealth-String not found
(4/24/05 11:22:54 PM) File added to delete: c:\windows\system32\ooen.dll
(4/24/05 11:22:54 PM) File added to delete: c:\docume~1\owner\locals~1\temp\se.dll
(4/24/05 11:22:54 PM)

HijackThis Log-------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:42:28 AM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Y'Z\Y'Z Dock\YzDock.exe
C:\Program Files\Sify Broadband\BBClient.exe
C:\Program Files\Y'Z\Y'Z Toolbar\YzToolBar.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0A3FC712-2CF3-43EA-AB79-35AAEECA66F6} - C:\WINDOWS\System32\ooen.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - *download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - *download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CA3ED4E-9E2C-4C84-8181-3F208DCE5584}: NameServer = 202.144.115.4,202.144.66.6
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.8.1.119.dll
O18 - Filter: text/html - {3E92D9B8-8296-4F88-9581-75F7EFE38FF6} - C:\WINDOWS\System32\ooen.dll
O18 - Filter: text/plain - {3E92D9B8-8296-4F88-9581-75F7EFE38FF6} - C:\WINDOWS\System32\ooen.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

HEY SWATCAT...HELP ME OUT WITH THIS!!

why need title?

Fresh Stock Since 2005

Technomancer

Technomancer

Technomancer

why need title?

In the zone

Technomancer

In the zone

Certified Nutz

Technomancer

In the zone

Technomancer

In the zone

Technomancer

In the zone

Technomancer

In the zone

Technomancer

In the zone