Security Tools: Hijackthis Part 1

What is Hijackthis?

Hijackthis, abbreviated as HJT, is a system analysis and spyware removal tool for Microsoft Windows. It was created by Merjin Bellekom and acquired by Trend Micro which is know for its security solutions like anti-virus etc.

Download and Install:

First of all, download Hijackthis from the following URL:
Download Trend Micro Hijackthis
It’s current version is 2.0.2. Download the installer from the above link.
Install Hijackthis and run the application.

Usage:

First it will ask for a user agreement, accept it.
hjtlincense
And then you will get a screen like this:

hjt2
Click the first button which says “Do a system scan and save a logfile”. By default, logfile will be automatically saved in the folder where hijackthis was installed. You can also save it in another location by going to file menu –> save as.
hjt3
This tutorial is for the beginner users who want to scan with hijackthis and send the log to other experts.

«
«

5 responses to “Security Tools: Hijackthis Part 1”

  1. <a href=””tittle=am glad that you could help remove this annoying virus. Please give me more updates through ma email sddress.
    Thanks man for ya help.
    Richard Smith.

  2. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:19:59 PM, on 8/27/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\StormII\stormliv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\livecall.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TrueCrypt\TrueCrypt.exe
    C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    O2 – BHO: Thunder AtOnce – {01443AEC-0FD1-40fd-9C87-E93D1494C233} – C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
    O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 – BHO: (no name) – {7E853D72-626A-48EC-A868-BA8D5E23E045} – (no file)
    O2 – BHO: ThunderBHO – {889D2FEB-5411-4565-8998-1DD2C5261283} – C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
    O4 – HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
    O4 – HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 – HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 – HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 – HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
    O4 – HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C41 Series” /O5 “LPT1:” /M “Stylus C41”
    O4 – HKLM\..\Run: [Thunder] “C:\Program Files\Thunder Network\Thunder\Thunder.exe” /s
    O4 – HKLM\..\Run: [Google IME Autoupdater] “C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe”
    O4 – HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 – HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 – HKLM\..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
    O4 – HKLM\..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\QuickCam\Quickcam.exe” /hide
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 – HKCU\..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
    O4 – HKCU\..\Run: [Skype] “C:\Program Files\Skype\\Phone\Skype.exe” /nosplash /minimized
    O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
    O4 – Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 – Extra context menu item: ?????? – C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
    O8 – Extra context menu item: ?????????? – C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
    O8 – Extra context menu item: ?? Messenger Live ?? – \SetMSNDP.htm
    O9 – Extra button: ??????à×5 – {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} – C:\Program Files\Thunder Network\Thunder\Thunder.exe
    O9 – Extra ‘Tools’ menuitem: ??????à×5 – {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} – C:\Program Files\Thunder Network\Thunder\Thunder.exe
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O18 – Protocol: bwfile-8876480 – {9462A756-7B47-47BC-8C80-C34B9B80B32B} – C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 – Service: Canon Camera Access Library 8 (CCALib8) – Canon Inc. – C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 – Service: Contrl Center of Storm Media (ccosm) – ???????????? – C:\Program Files\StormII\stormliv.exe
    O23 – Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) – SEIKO EPSON CORPORATION – C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett-Packard Company – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 – Service: LVCOMSer – Logitech Inc. – C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 – Service: Process Monitor (LVPrcSrv) – Logitech Inc. – C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 – Service: NBService – Nero AG – C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe

    End of file – 6519 bytes

  3. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:00:44 PM, on 9/3/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\StormII\stormliv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TrueCrypt\TrueCrypt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    O2 – BHO: Thunder AtOnce – {01443AEC-0FD1-40fd-9C87-E93D1494C233} – C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
    O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 – BHO: (no name) – {7E853D72-626A-48EC-A868-BA8D5E23E045} – (no file)
    O2 – BHO: ThunderBHO – {889D2FEB-5411-4565-8998-1DD2C5261283} – C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
    O4 – HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
    O4 – HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 – HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 – HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 – HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
    O4 – HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C41 Series” /O5 “LPT1:” /M “Stylus C41”
    O4 – HKLM\..\Run: [Thunder] “C:\Program Files\Thunder Network\Thunder\Thunder.exe” /s
    O4 – HKLM\..\Run: [Google IME Autoupdater] “C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe”
    O4 – HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 – HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 – HKLM\..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
    O4 – HKLM\..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\QuickCam\Quickcam.exe” /hide
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 – HKCU\..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
    O4 – HKCU\..\Run: [Skype] “C:\Program Files\Skype\\Phone\Skype.exe” /nosplash /minimized
    O4 – HKCU\..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
    O4 – Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 – Extra context menu item: ?????? – C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
    O8 – Extra context menu item: ?????????? – C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
    O8 – Extra context menu item: ?? Messenger Live ?? – \SetMSNDP.htm
    O9 – Extra button: ??????à×5 – {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} – C:\Program Files\Thunder Network\Thunder\Thunder.exe
    O9 – Extra ‘Tools’ menuitem: ??????à×5 – {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} – C:\Program Files\Thunder Network\Thunder\Thunder.exe
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O18 – Protocol: bwfile-8876480 – {9462A756-7B47-47BC-8C80-C34B9B80B32B} – C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O23 – Service: Canon Camera Access Library 8 (CCALib8) – Canon Inc. – C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 – Service: Contrl Center of Storm Media (ccosm) – ???????????? – C:\Program Files\StormII\stormliv.exe
    O23 – Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) – SEIKO EPSON CORPORATION – C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett-Packard Company – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 – Service: LVCOMSer – Logitech Inc. – C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 – Service: Process Monitor (LVPrcSrv) – Logitech Inc. – C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 – Service: NBService – Nero AG – C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe

    End of file – 6430 bytes

  4. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:07:02 PM, on 11/19/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
    R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
    R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 – Hosts: ::1 localhost
    O2 – BHO: (no name) – {0198CCBC-1DE5-41C1-AE51-FE208F3D3FFd} – C:\Windows\System32\d3dx10_4032.dll
    O2 – BHO: (no name) – {02478D38-C3F9-4efb-9B51-7695ECA05670} – (no file)
    O2 – BHO: Adobe PDF Reader Link Helper – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 – HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 – HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
    O4 – HKLM\..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
    O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
    O4 – HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 – HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
    O4 – HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
    O4 – HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
    O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 – Extra button: Send to OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 – Extra ‘Tools’ menuitem: S&end to OneNote – {2670000A-7350-4f3c-8081-5663EE0C6C49} – C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 – Extra button: (no name) – {53F6FCCD-9E22-4d71-86EA-6E43136192AB} – (no file)
    O9 – Extra button: (no name) – {925DAB62-F9AC-4221-806A-057BFB1014AA} – (no file)
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O13 – Gopher Prefix:
    O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 – HKLM\System\CCS\Services\Tcpip\..\{BF915CC9-97A0-4700-BA18-0AB31D1F14E2}: NameServer = 85.255.112.87,85.255.112.195
    O17 – HKLM\System\CCS\Services\Tcpip\..\{DB78239C-EF86-4714-9504-9EB4236D5189}: NameServer = 85.255.112.87,85.255.112.195
    O20 – AppInit_DLLs: C:\Windows\System32\d3dx9_3132.dll
    O23 – Service: Apple Mobile Device – Apple Inc. – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 – Service: Bonjour Service – Apple Inc. – C:\Program Files\Bonjour\mDNSResponder.exe
    O23 – Service: Com4QLBEx – Hewlett-Packard Development Company, L.P. – C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 – Service: HP Health Check Service – Hewlett-Packard – c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 – Service: hpqwmiex – Hewlett-Packard Development Company, L.P. – C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 – Service: iPod Service – Apple Inc. – C:\Program Files\iPod\bin\iPodService.exe
    O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett-Packard Company – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 – Service: Recovery Service for Windows – Unknown owner – C:\Windows\SMINST\BLService.exe
    O23 – Service: Cyberlink RichVideo Service(CRVS) (RichVideo) – Unknown owner – C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 – Service: Viewpoint Manager Service – Viewpoint Corporation – C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 – Service: Windows MSI – Unknown owner – \\?\globalrootC:\Windows\system32\msihost.exe (file missing)
    O23 – Service: XAudioService – Conexant Systems, Inc. – C:\Windows\system32\DRIVERS\xaudio.exe

    End of file – 6060 bytes