63 replies to this topic

[Prolatariat_]

Ewido just picked up this again...

csrssa.exe
C:\WINDOWS\system32
Infection: Backdoor.Codbot.at
Cleaned the file.

[LDTate]

click Start>Run and type regedit tap enter key.


Regedit will open. Make sure My Computer is highlighted. At the top of the window click edit> Find> then copy and paste the following into the window.

csrssa.exe

Then click find now.
When you find the entry right click on it and select delete, answer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

[Prolatariat_]

Deleted 3 items. I also deleted 2 files from Ewido quarantine.

[LDTate]

We'll keep after it until we kill it

[Prolatariat_]

I'm going to download an updated version of PC-cillin later tonight. Will this help?

[LDTate]

Yes, I would think so. Also make sure windows has all the latest patches.

[Prolatariat_]

I will have to wait a day or two to upgrade anti-virus due to CC. Windows update gives me this error message: The site cannot continue because one or more of these Windows services is not running: Automatic Updates (allows the site to find, download and install high-priority updates for your computer) Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted) Event Log (keeps a record of updating activities to help with troubleshooting, if needed) My computer was running fine earlier today, although Ewido picked up this when I ran a scan: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 5:29:38 PM, 11/11/2005 + Report-Checksum: 2F020FE1 + Scan result: C:\WINDOWS\system32\TFTP3880 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup :mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\mdxvw08d.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup ::Report End SpyBot removed the following: Settings HKEY_USERS\S-1-5-18\SYSTEM\CurrentControlSet\Control\Lsa Settings HKEY_USERS\S-1-5-21-3500330718-382615216-485408677-1003\SYSTEM\CurrentControlSet\Control\Lsa Settings HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa Settings HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx I also came back to my computer to find an error message saying "Csrssa.exe has encountered a problem and needs to close".

[LDTate]

I'm at work so I don't have much time right now. Have we tried this one?

Narrator/Qoologic trojan. It is tricky because all of the files are hidden when you use Windows Explorer or the Task Manager. To get a better look at it we will need you to do this.

• Download FindIt NT-2K-XP.
• Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
• Navigate to the FindIt NT-2K-XP directory.
• Double-click on FindNarrator.bat and wait for it to run.
• It should open a Notepad window with the FindVX2 log.
• Post the contents of FindNarrator.txt into your next post.

[Prolatariat_]

---------------- FindNarrator NT-2K-XP ---------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ***** Operating System ***** Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600) ********* Date/Time ******** Sunday, November 13, 2005 (11/13/2005) 12:43 PM, New Zealand Standard Time *********** Path *********** FindNarrator.bat is running from: C:\Documents and Settings\Owner\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP ---------------- Strings.exe Qoologic Results ---------------- ---------------- Strings.exe Aspack Results ---------------- C:\WINDOWS\system32\MRT.exe: (ASPack) C:\WINDOWS\system32\MRT.exe: (AsPack2k) C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b) C:\WINDOWS\system32\MRT.exe: (ASPack 2.1) C:\WINDOWS\system32\MRT.exe: (ASPack 2.12) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11) C:\WINDOWS\system32\MRT.exe: (ASPack 2.000) C:\WINDOWS\system32\MRT.exe: (ASPack 2.001) C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x) C:\WINDOWS\system32\MRT.exe: ASPack2000 C:\WINDOWS\system32\MRT.exe: ASPack 1.61 C:\WINDOWS\system32\MRT.exe: ASPack 1.084 C:\WINDOWS\system32\MRT.exe: ASPack 1.083 C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b C:\WINDOWS\system32\MRT.exe: ASPack 1.07b C:\WINDOWS\system32\MRT.exe: ASPack 1.05b C:\WINDOWS\system32\MRT.exe: ASPack 1.02 C:\WINDOWS\system32\MRT.exe: ASPACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK C:\WINDOWS\system32\MRT.exe: aspACK ---------------- Active Setup Installed Components ---------------- ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02f78298-8af6-495c-9ecb-b6ae68678186} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10072CEC-8CC1-11D1-986E-00A0C955B42F} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{283807B5-2C60-11D0-A31D-00AA00B92C03} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36f8ec70-c29a-11d1-b5c7-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3bf42070-b3b1-11d1-b5c5-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4278c270-a269-11d1-b5bf-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f216970-c90c-11d1-b5c7-0000f8051515} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{839117ee-2132-4bae-a56a-42b50204c9b9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CC2A9BA0-3BDD-11D0-821E-444553540000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} ---------------- Context Menu Handlers ---------------- REGEDIT4 [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido] @="{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files] @="{750fdf0e-2a26-11d1-a3ea-080036587f03}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With] @="{09799AFB-AD67-11d1-ABCD-00C04FC30936}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu] @="{A470F8CF-A1E8-4f65-8335-227475AA5C46}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR] @="{B41DB860-8EE4-11D2-9906-E49FADC173CA}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}] @="Start Menu Pin" ---------------- Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Hcontrol"="C:\\WINDOWS\\ATK0100\\Hcontrol.exe" "AGRSMMSG"="AGRSMMSG.exe" "SoundMan"="SOUNDMAN.EXE" "ASUS Live Update"="C:\\Program Files\\ASUS\\ASUS Live Update\\ALU.exe" "Power_Gear"="C:\\Progra~1\\ASUS\\Power4 Gear\\BatteryLife.exe 1" "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "SiS Tray"="C:\\WINDOWS\\System32\\sistray.EXE" "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe" "pccguide.exe"="\"c:\\Program Files\\Trend Micro\\PC-cillin 2002\\pccguide.exe\"" "PCCClient.exe"="\"c:\\Program Files\\Trend Micro\\PC-cillin 2002\\PCCClient.exe\"" "Pop3trap.exe"="\"c:\\Program Files\\Trend Micro\\PC-cillin 2002\\Pop3trap.exe\"" "EPSON Stylus C45 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3T1.EXE /P23 \"EPSON Stylus C45 Series\" /O6 \"USB001\" /M \"Stylus C45\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ---------------- FindNarrator NT-2K-XP ---------------- 

[LDTate]

Nothing there. Are still getting warnings?

Go here and run this tool.
http://www.microsoft...ve/default.mspx

Edited by LDTate, 12 November 2005 - 06:10 PM.

[Prolatariat_]

PC-cillin is no longer detecting the viruses and Ewido is fine too. I ran the microsoft malware program and it didn't find anything either. Although I did get another message saying "Csrssa.exe has encountered a problem and needs to close". Apart from that my laptop appears to be running normally again. I don't have problems disconnecting from the internet, media player is working, and I can shutdown without it refusing to or taking an hour.

[LDTate]

Have a look in the registry again.

click Start>Run and type regedit tap enter key.


Regedit will open. Make sure My Computer is highlighted. At the top of the window click edit> Find> then copy and paste the following into the window.

csrssa.exe

Then click find now.
When you find the entry right click on it and select delete, answer ok at the prompt.
Next, press "F3" to continue searching, if another instance is found, repeat the above steps, until you see the "completed searching" message.

[Prolatariat_]

It doesn't find anything in the registry. I installed PC-cillin Internet Security 2006 yesterday and it picked up 2 trojans during instalation: TROJ_SMALL-1 --> deleted TROJ_LOWZONES.DW, Found in C:\goaway.exe --> quarantined PC-Cillin log: "Virus Scan","2005/11/13","LIZ" "Time","Event","Source Type","Virus Name","File Name","First Action","Second Action" "19:15","Manual Scan","File","TROJ_LOWZONES.DW","C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\012J05EB\goaway[1].exe","Quarantine Success","" "19:18","Manual Scan","File","WORM_SPYBOT.AJC","C:\WINDOWS\system32\csrssa.exe","Quarantine Success","" "19:28","Manual Scan","File","TROJ_LOWZONES.DW","C:\System Volume Information\_restore{FC301464-7AA8-49C8-BE33-DDCE92464080}\RP203\A0036882.exe","Quarantine Success","" "19:28","Manual Scan","File","WORM_SPYBOT.AJC","C:\System Volume Information\_restore{FC301464-7AA8-49C8-BE33-DDCE92464080}\RP204\A0036897.exe","Quarantine Success","" "19:29","Manual Scan","File","WORM_SPYBOT.AJC","C:\System Volume Information\_restore{FC301464-7AA8-49C8-BE33-DDCE92464080}\RP199\A0035434.exe","Quarantine Success","" I deleted them all from quarantine. Finally managed to get Windows Update to work as well.

[LDTate]

Post a new HJT log.

[Prolatariat_]

Logfile of HijackThis v1.99.1
Scan saved at 4:00:57 PM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRAM FILES\EWIDO\SECURITY SUITE\EWIDOGUARD.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\WINDOWS\SYSTEM32\MSACONFIG.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com.tw/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com.tw
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"
O4 - HKLM\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [Microsft Configure 32] msaconfig.exe
O4 - HKCU\..\Run: [Microsft Configure 32] msaconfig.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B07785A4-6781-4DCB-80F7-446FE11A7B90}: NameServer = 203.96.152.4 203.96.152.12
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe