AIM: Best Friends / Away Message AIM Virus, Trojan, and Backdoor

Contributor Icon Contributed by MickeyMouse Date Icon August 16, 2004  
Tag Icon Tagged: Instant messaging

msnguyen.exe, aolmsngr.exe, and msginav.exe are examples of process names used in this new AIM trojan. Here’s what it does.


You went to a web page and downloaded what appeared to be a screensaver file that ends in *.scr

Windows warned you, but you downloaded it anyway.

Now your AIM client is acting crazy. You have installed a trojan and here’s how to get rid of it.

This program may do it automatically for you. Even if the program works, you should go through the manual steps below to remove any traces.
http://elon.edu/student/jaleman/BestFriends.htm

Here is the manual way:

Hit CTRL-ALT-DEL to open the task manager
Select the processes tab
select aolmsngr.exe by left clicking on it
hit the end process button at the bottom of the task manager
say Yes to the warning
This should turn it off.

The bugger hides in c:\windows\system32\aolmsngr.exe.
You should be able to delete it from there.

You’ll also want to remove aolmsngr.exe from following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

You should also do a search for hilarious.scr and delete it whenever you find it.

Why is this bad? aolmsngr.exe opens a backdoor into your system and allows other people to gain access at will.

You had to accept several warnings in order to download this. Don’t do this again. I hope this helps.

SP2 would have automatically blocked the download, by the way.

Once you are done, update and run your antivirus and an antispam program like spybot. Hopefully, these will clean up any additional programs that the backdoor might have installed on your system.

For other spyware related problems, try this recipe too…

Posted:

-->
Previous recipe | Next recipe |
 

Viewing 112 Comments

    • ^
    • v
    I have this virus and i tried to follow what you say to do. The only problem is when i click for task manager, it only comes up for a second and then it disappears. It just won't stay up no matter how i pull it up! And the website you gave doesn't work. I've done a search and "run" for all the files that you say to look for and it can't find it... but i know you're talking about the same virus because it is exactly what i have! So please, Help me more! Email me at Asher689@hotmail.com PLEASE! This virus is really stressing me out and i've had it for about a month now. I've done tons of virus scans and i just can't get rid of it!
    • ^
    • v
    I am having the exact same problem. REgedit and task manager will not open.
    • ^
    • v
    help me this virus is screwing my comp. i have the same problems of all of u
    • ^
    • v
    The virus above has been edited and renamed by multiple different people. There is no way that I know to list all the potential names of files that you should be looking for. Examples:

    <ul>tgbot_pecompact.exe
    tgbot_upx_packed.exe
    tgbot_upx_unpacked.exe
    yahoomsgr.exe
    7a938e2392b773c3f11b0952732b244a.exe
    backdoor.spyboter.as.exe
    backdoor.spyboter.gen[2].exe
    aolmsngr.exe
    zopytlrs.exe
    msginav.exe
    netdll.exe
    netstatt.exe</ul>
    If you can't use the task manager, then you won't be able to gain access to them to delete them anyway.

    I am not going to reinstall this virus again to figure it out for you, so you guys are going to have to help me.

    Has anybody tried rebooting into safe mode and using the recipe above?
    Try one of these to get a working copy of taskmanager:
    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
    http://www.dougknox.com/xp/utils/xp_emerutils.htm

    Let us know if you get your system fixed.
    • ^
    • v
    Great idea, Mickey. As many people probably do not know what is happening to their system, I am going to post a related recipe on this new advice. Those little freeware progies rock.

    The new recipe is here:
    http://www.tech-recipes.com/windows_tips648.html
    • ^
    • v
    i give up.. i did everything you guys said and i get all the way to the system32 file and there is no aolmsngr.exe fiel at all.. i dont know why but its not fair and my computer is driving me crazy!!! :cry:
    • ^
    • v
    OKOK DONT CRY!
    Just download aimfix
    http://www.jayloden.com/VirusClean.htm
    • ^
    • v
    Last night and early into this morning a couple friends of mine had the same virus problem. My friend Chelsea got infected somehow and people clicked the link in her away message (hijacked away message) and it installed the virus on there computer. Its posing as a screen saver from the show friends. After seeing the file type and knowing it was an AIM virus I tried to warn people not to download, but there sheep :-/ . For me I installed it 3 times to figure it out. First off I have a firewall, and by blocking it from getting internet access it stops it. Ex. If you have a firewall, install the program, it asks for access to the internet and you deny. That will stop it overall. In XP I found that it went into several of my drivers containing Friends in the name. I run on Windows XP. Now, I manually searched it out and deleted several versions.
    So far other than the recipe for deleting already I have found this works SOME of the time on 2000 pro and XP's.

    First, find the original file and delete it... Or better yet, rename it to a txt. type of file.

    Secondly, do several computer searches through the start menu, search for all files and folders; search for every word in the original file name individually, dont be lazy and search for the whole thing!

    Thirdly, delete all those files and after all have been deleted and you double checked they stayed deleted, empty the recycle been if you already havent and pull your comps plug, or hold down power so they dont come back when saving your settings in Windows.

    Boot up and dont access the internet right away. Search for all the files again and make sure they havent come back. Now go onto the internet and download the Zone Alarms firewall. Log off of the internet and install. Do a virus scan with as many virus programs as you can find... Free ones usually work, search for the files again and delete if necessary. Then log onto the internet. Make sure Zone alarms security is as high as possible, and dont let anything default access! If anything like aimsrg.exe or something that says AIM that you know isnt the AIM program trys to access then dont let it access :)

    Goodluck!
    • ^
    • v
    OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES
    • ^
    • v
    <ul id="quote"><h6>YO wrote:</h6>OK
    http://www.jayloden.com/VirusClean.htm
    IT KILLS aLL AIM VIRUSES</ul>

    THANKS!!
    U saved me alot of time.
    i didnt want to follow the manual ways..
    kinda long
    • ^
    • v
    *Crying* people i tthink i really give up.. i was so excited i worked for hours with what you guys told me.. and i thought for sure i was in the clear bcus i hadnt seen the away message in days... i even helped all my friends get rid of theirs by sending them your guys link.. but somehow the virus had just been "in hiding" or something bcus it returned today.. pop up away note and all.. i even tried that AIMFIX thing that worked for everyone.. just not me =*(
    • ^
    • v
    <ul id="quote"><h6>Anonymous wrote:</h6>*Crying* people i tthink i really give up.. i was so excited i worked for hours with what you guys told me.. and i thought for sure i was in the clear bcus i hadnt seen the away message in days... i even helped all my friends get rid of theirs by sending them your guys link.. but somehow the virus had just been "in hiding" or something bcus it returned today.. pop up away note and all.. i even tried that AIMFIX thing that worked for everyone.. just not me =*(</ul>

    Download hijack this...
    http://www.richardthelionhearted.com/~merijn/downloads.html

    Create a new thread and post your log file in our spyware forum.

    Log files posted to this thread will be deleted. These clean outs get too confusing with multiple people posting log files...

    Maybe one of us can help you.
    • ^
    • v
    ok i downloaded hijackthis.. now where do i go from here?
    • ^
    • v
    :x it wont let me do ctrl alt delete so ur effin rong
    • ^
    • v
    I am trying to do that Alt+Ctrl+Del to get rid of the trojan virus, but everytime i do it, the window goes away. If the virus is making the indow disapear, how can i get rid of it?
    • ^
    • v
    <ul id="quote"><h6>AirLamps wrote:</h6>I am trying to do that Alt+Ctrl+Del to get rid of the trojan virus, but everytime i do it, the window goes away. If the virus is making the indow disapear, how can i get rid of it?</ul>

    Read this:
    http://www.tech-recipes.com/windows_tips648.html
    • ^
    • v
    I HAVE THE SAME DAMN PROBLEM AND NOTHIN WORKS SOMEONE HELP
    • ^
    • v
    i also have the Best Friends virus :cry: and I ran the HijackThis program and I was wondering if someone could take a look at my results and tell me what to delete....thanks! :D

    Logfile of HijackThis v1.97.7
    Scan saved at 9:20:23 PM, on 9/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSSystem32Ati2evxx.exe
    C:WINDOWSsystem32svchost.exe
    C:WINDOWSSystem32svchost.exe
    C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
    C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSSystem32gearsec.exe
    C:WINDOWSsystem32HPConfig.exe
    C:Program FilesHPQNotebook UtilitiesHPWirelessMgr.exe
    C:Program FilesNorton AntiVirusnavapsvc.exe
    C:Program FilesNorton AntiVirusSAVScan.exe
    C:WINDOWSSystem32MsPMSPSv.exe
    C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
    C:Program FilesiTunesiTunesHelper.exe
    C:Program FilesiPodbiniPodService.exe
    C:Program FilesHPQOne-TouchOneTouch.EXE
    C:Program FilesSynapticsSynTPSynTPLpr.exe
    C:Program FilesSynapticsSynTPSynTPEnh.exe
    C:Program FilesHPHP Software UpdateHPWuSchd.exe
    C:WINDOWSSystem32hphmon05.exe
    C:Program FilesCommon FilesSymantec SharedccApp.exe
    C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe
    C:WINDOWSSystem32carpserv.exe
    C:Program FilesRealRealPlayerRealPlay.exe
    C:WINDOWSSystem32spooldriversw32x863hpztsb08.exe
    C:Program FilesUlead SystemsUlead Photo Explorer 8.0 SE BasicMonitor.exe
    C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    C:WINDOWSSystem32ELIMIEXPLORER.EXE
    C:WINDOWSSystem32dp-him.exe
    C:documents and settingsallisonlocal settingstempNb.exe
    C:Program FilesWinad ClientWinad.exe
    C:Program FilesMessengermsmsgs.exe
    C:Program FilesWinad ClientWinClt.exe
    C:PROGRA~1AWSWEATHE~1Weather.exe
    C:Documents and SettingsAllisonApplication Dataamee.exe
    C:PROGRA~1Web Offerwo.exe
    C:Program FilesHPDigital Imagingbinhpqtra08.exe
    C:WINDOWSSystem32RUNDLL32.exe
    C:Documents and SettingsAllisonLocal SettingsTempTemporary Directory 1 for hjt.zipHijackThis.exe
    C:WINDOWSexplorer.exe
    C:WINDOWSsystem32notepad.exe
    C:Program FilesAIMaim.exe
    C:Program FilesInternet Exploreriexplore.exe

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://yahoo.com/
    R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={S...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
    R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,Shellnext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie...
    R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    R3 - URLSearchHook: BrowserAngel Sidepanel - {D6CA5D91-5EA2-4654-9B75-499267012611} - C:Program FilesSearchLocatesidebar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
    O2 - BHO: (no name) - {49A83909-9A32-04C4-8605-645504A0733E} - C:WINDOWSSystem32wccetxz.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:Program FilesSpybot - Search & DestroySDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:WINDOWS2_0_1browserhelper2.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:PROGRA~1COMMON~1WinToolsWToolsB.dll (file missing)
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:WINDOWSSystem32nvms.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:Program FilesNorton AntiVirusNavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:Program FilesSEPsep.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:WINDOWSSystem32mscb.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:Documents and SettingsAllisonLocal SettingsTempK5.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINDOWSSystem32msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINDOWSSystem32msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:Program FilesNorton AntiVirusNavShExt.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:Program FilesSEPsep.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:Program FilesAIM ToolbarAIMBar.dll
    O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
    O3 - Toolbar: BA Toolbar - {952EC978-4920-4F18-8237-91D69B54C580} - C:Program FilesSearchLocatesidebar.dll
    O4 - HKLM..Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
    O4 - HKLM..Run: [iTunesHelper] C:Program FilesiTunesiTunesHelper.exe
    O4 - HKLM..Run: [TV Now] C:Program FilesHPQNotebook UtilitiesTvNow.exe /RK
    O4 - HKLM..Run: [Display Settings] C:Program FilesHPQNotebook Utilitieshptasks.exe /s
    O4 - HKLM..Run: [QT4HPOT] C:Program FilesHPQOne-TouchOneTouch.EXE
    O4 - HKLM..Run: [SynTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exe
    O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
    O4 - HKLM..Run: [HP Software Update] "C:Program FilesHPHP Software UpdateHPWuSchd.exe"
    O4 - HKLM..Run: [HPHUPD05] c:Program FilesHP{45B6180B-DCAB-4093-8EE8-6164457517F0}hphupd05.exe
    O4 - HKLM..Run: [HPHmon05] C:WINDOWSSystem32hphmon05.exe
    O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
    O4 - HKLM..Run: [NAV CfgWiz] C:Program FilesCommon FilesSymantec SharedCfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM..Run: [RoxioEngineUtility] "C:Program FilesCommon FilesRoxio SharedSystemEngUtil.exe"
    O4 - HKLM..Run: [RoxioDragToDisc] "C:Program FilesRoxioEasy CD Creator 6DragToDiscDrgToDsc.exe"
    O4 - HKLM..Run: [Cpqset] C:Program FilesHPQDefault Settingscpqset.exe
    O4 - HKLM..Run: [CARPService] carpserv.exe
    O4 - HKLM..Run: [WildTangent CDA] RUNDLL32.exe "C:Program FilesWildTangentAppsCDAcdaEngine0400.dll",cdaEngineMain
    O4 - HKLM..Run: [RealTray] C:Program FilesRealRealPlayerRealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSSystem32spooldriversw32x863hpztsb08.exe
    O4 - HKLM..Run: [Ulead AutoDetector] C:Program FilesUlead SystemsUlead Photo Explorer 8.0 SE BasicMonitor.exe
    O4 - HKLM..Run: [4S2NSLA3QS#366] C:WINDOWSSystem32Uah05H5X.exe
    O4 - HKLM..Run: [STOPzilla] "C:Program FilesSTOPzilla!Stopzilla.exe" /autorun
    O4 - HKLM..Run: [ViewMgr] C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    O4 - HKLM..Run: [WinTools] C:Program FilesCommon FilesWinToolsWToolsA.exe
    O4 - HKLM..Run: [MS Decryption Software] C:active.exe
    O4 - HKLM..Run: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - HKLM..Run: [Bakra] C:WINDOWSSystem32IEHost.exe
    O4 - HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkbinbargains.exe
    O4 - HKLM..Run: [Nb] C:documents and settingsallisonlocal settingstempNb.exe
    O4 - HKLM..Run: [rbklopt] C:WINDOWSSystem32oefwal.exe
    O4 - HKLM..Run: [tE7h34e] webwvdrv.exe
    O4 - HKLM..Run: [v9e9LQ] C:documents and settingsallisonlocal settingstempv9e9LQ.exe
    O4 - HKLM..Run: [Wast] C:WINDOWSwast2.exe 2
    O4 - HKLM..Run: [WebRebates0] C:Program FilesWeb_RebatesWebRebates0.exe
    O4 - HKLM..Run: [WhenUSearch] "C:Program FilesWhenUSearchSearch.exe"
    O4 - HKLM..Run: [Winad Client] C:Program FilesWinad ClientWinad.exe
    O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
    O4 - HKCU..Run: [Weather] C:PROGRA~1AWSWEATHE~1Weather.exe 1
    O4 - HKCU..Run: [Aaou] C:Documents and SettingsAllisonApplication Dataamee.exe
    O4 - HKCU..Run: [cponRQK2h] wldppcmp.exe
    O4 - HKCU..Run: [eZWO] C:PROGRA~1Web Offerwo.exe
    O4 - HKCU..Run: [Xapfwum] C:WINDOWSSystem32zpnq.exe
    O4 - HKCU..Run: [AIM] C:Program FilesAIMaim.exe -cnetwait.odl
    O4 - HKCU..RunOnce: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
    O8 - Extra context menu item: &AIM Search - res://C:Program FilesAIM ToolbarAIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~3OFFICE11EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US& c=Q304&bd=pavilion&pf=laptop
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=i... 907e4148fd1d29fad859e525ad8568bdc3764094eb7f91045542a37d088d79e68c7 12ee227e98860cf4b1e32:120063 d13f3d84912076874f6c66d459
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/trickle...
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6...
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://141.165.32.35/activex/AxisCamControl.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstalle...
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/...
    • ^
    • v
    I downloaded Hijack this and this is my log. My daughter admitted to clicking on the IM away link and now every 2 minutes AIM attempts to load and it is driving me crazy. CTRL Alt Delete is not working, I also downloaded procexpnt and tried to manually get rid of it. Help, does anyone know anything about this log?
    ogfile of HijackThis v1.98.2
    Scan saved at 10:26:31 PM, on 9/9/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:WINNTSystem32smss.exe
    C:WINNTsystem32winlogon.exe
    C:WINNTsystem32services.exe
    C:WINNTsystem32lsass.exe
    C:WINNTsystem32svchost.exe
    C:WINNTsystem32spoolsv.exe
    C:WINNTCpqdiagCpqdfwag.exe
    C:PROGRA~1SYMANT~1SYMANT~1DefWatch.exe
    C:WINNTSystem32svchost.exe
    C:WINNTSystem32NMSSvc.exe
    C:PROGRA~1SYMANT~1SYMANT~1Rtvscan.exe
    C:WINNTsystem32regsvc.exe
    C:WINNTsystem32MSTask.exe
    C:WINNTSYSTEM32ZoneLabsvsmon.exe
    C:WINNTSystem32WBEMWinMgmt.exe
    C:WINNTsystem32svchost.exe
    C:WINNTExplorer.EXE
    C:WINNTsystem32hkcmd.exe
    C:Program FilesAnalog DevicesSoundMAXSmtray.exe
    C:Program FilesCOMPAQEasy Access Button SupportStartEAK.exe
    C:PROGRA~1SYMANT~1SYMANT~1vptray.exe
    C:Program FilesZone LabsZoneAlarmzlclient.exe
    C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    C:Program FilesWinad ClientWinad.exe
    C:WINNTsystem32MSCRON.EXE
    C:Program FilesWinad ClientWinClt.exe
    C:WINNTsystem32nbzkrw.exe
    C:active.exe
    C:Program FilesCompaqEasy Access Button SupportCPQEADM.EXE
    C:CompaqEAKDRVEAUSBKBD.EXE
    C:PROGRA~1CompaqEASYAC~1BttnServ.exe
    C:Program FilesWeb_RebatesWebRebates1.exe
    C:WINNTSYSTEM32ElimiExplorer.exe
    C:WINNTSystem32svchost.exe
    C:PROGRA~1MICROS~2Office10WINWORD.EXE
    C:Program FilesWeb_RebatesWebRebates0.exe
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program FilesInternet ExplorerIEXPLORE.EXE
    C:Program FilesAIMaim.exe
    C:Documents and SettingsAdministratorMy DocumentsHijackThis.exe

    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://aimhome.netscape.com/aimhome.adp
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:WINNTsystem32nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:WINNTsystem32mscb.dll
    O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:Program FilesNavExcel Search ToolbarNavExcelBar.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINNTsystem32msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:WINNTsystem32msdxm.ocx
    O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:Program FilesNavExcel Search ToolbarNavExcelBar.dll
    O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM..Run: [IgfxTray] C:WINNTsystem32igfxtray.exe
    O4 - HKLM..Run: [HotKeysCmds] C:WINNTsystem32hkcmd.exe
    O4 - HKLM..Run: [Smapp] C:Program FilesAnalog DevicesSoundMAXSmtray.exe
    O4 - HKLM..Run: [CPQEASYACC] C:Program FilesCOMPAQEasy Access Button SupportStartEAK.exe
    O4 - HKLM..Run: [vptray] C:PROGRA~1SYMANT~1SYMANT~1vptray.exe
    O4 - HKLM..Run: [Zone Labs Client] "C:Program FilesZone LabsZoneAlarmzlclient.exe"
    O4 - HKLM..Run: [ViewMgr] C:Program FilesViewpointViewpoint ManagerViewMgr.exe
    O4 - HKLM..Run: [Winad Client] C:Program FilesWinad ClientWinad.exe
    O4 - HKLM..Run: [Microsoft CronD Service] MSCRON.EXE
    O4 - HKLM..Run: [WebRebates0] "C:Program FilesWeb_RebatesWebRebates0.exe"
    O4 - HKLM..Run: [nzjebgren] C:WINNTsystem32nbzkrw.exe
    O4 - HKLM..Run: [MS Decryption Software] C:active.exe
    O4 - HKLM..Run: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - HKLM..RunServices: [CPQDFWAG] C:WINNTCpqdiagCpqDfwAg.exe
    O4 - HKCU..Run: [areslite] "C:Program FilesAres Lite EditionAresLite.exe" -h
    O4 - HKCU..RunOnce: [Microsoft CronD Service] MSCRON.EXE
    O4 - HKCU..RunOnce: [ElimiExplorer Popup Killer] ELIMIEXPLORER.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
    O8 - Extra context menu item: Web Rebates - file://C:Program FilesWeb_RebatesSy1150Tp1150scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINNTsystem32msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINNTsystem32msjava.dll