Jump to content


Photo

ie meltdown


  • Please log in to reply
12 replies to this topic

#1 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 08 June 2004 - 09:14 AM

Hello knowlegable ones. Yesterday I opened my computer as I normally would and when I opened the internet the screen went crazy. It started opening page after page until the system was overloaded and then the computer froze. I ran hijack this and fixed what I could, but I am not sure I got it all. Could some one please look at this log for me. Thanks in advance

Logfile of HijackThis v1.96.0
Scan saved at 1:28:27 AM, on 06/08/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SLMSS\SLMSS.EXE
C:\WINDOWS\MWSVM.EXE
C:\WINDOWS\SYSTEM\KEYWORD.EXE
C:\WINDOWS\MSCMGR.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\SYSTEM\regsvrac32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\MANAGE.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYWORD.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Arce] C:\WINDOWS\Application Data\uaia.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.yaho...v43/yacscom.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit..../winorbiter.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.hallofher...sses/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7907.7237268519
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx

#2 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 08 June 2004 - 12:49 PM

BUMP can anyone help?? Please

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 June 2004 - 02:43 PM

Hi,
Reconfigure Windows 98 to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Options or Folder Options.
Click the View tab.

In the Advanced settings box, under the "Hidden files" folder
Uncheck: "Hide file extensions for known file types"
Select: "Show all files" Ok the prompt
Click Apply, and then click OK.

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\SYSTEM\regsvrac32.dll
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\MANAGE.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYWORD.exe
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKCU\..\Run: [Arce] C:\WINDOWS\Application Data\uaia.exe
O4 - HKCU\..\Run: [ClockSync] "C:\Program Files\ClockSync\Sync.exe" /q
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

C:\Program Files\ClockSync <--this folder
C:\Program Files\Common Files\slmss <--this folder
C:\Program Files\Srng <--this folder
C:\WINDOWS\SYSTEM\CDSM32.DLL <--this file
C:\WINDOWS\SYSTEM\regsvrac32.dll <--this file
C:\WINDOWS\mwsvm.exe <--this file
C:\WINDOWS\wdskctl.exe <--this file
C:\WINDOWS\SYSTEM\MANAGE.exe <--this file
C:\WINDOWS\SYSTEM\KEYWORD.exe <--this file
C:\WINDOWS\SYSTEM\WINST.EXE <--this file
C:\WINDOWS\Application Data\uaia.exe <--this file

Restart normally and then update and rescan with SpyBot and reboot, post a fresh log
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 08 June 2004 - 09:11 PM

it is better, but still needs some cleansing

Logfile of HijackThis v1.96.0
Scan saved at 7:07:10 PM, on 06/08/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\PQLMERI.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\MSMC.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\BARGAINS.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM218.DLL
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\APUC.DLL
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\SYSTEM\regsvrac32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [cmvhhp] C:\WINDOWS\SYSTEM\pqlmeri.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [NDSRV32R] C:\WINDOWS\SYSTEM\NDSRV32R.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.yaho...v43/yacscom.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit..../winorbiter.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.hallofher...sses/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7907.7237268519
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 June 2004 - 10:05 PM

Hi,
Are you sure you ran SpyBot (v. 1.3)

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\SYSTEM\BRIDGE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM218.DLL
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\APUC.DLL
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\SYSTEM\regsvrac32.dll
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [cmvhhp] C:\WINDOWS\SYSTEM\pqlmeri.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [NDSRV32R] C:\WINDOWS\SYSTEM\NDSRV32R.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

C:\WINDOWS\SYSTEM\BRIDGE.DLL <--this file
C:\WINDOWS\TWAINTEC.DLL <--this file
C:\WINDOWS\TWAINTEC.INI <--this file
C:\WINDOWS\NEM218.DLL <--this file
C:\WINDOWS\WSEM218.DLL <--this file
C:\WINDOWS\SYSTEM\regsvrac32.dll <--this file
C:\WINDOWS\SYSTEM\A.EXE <--this file
C:\WINDOWS\SYSTEM\pqlmeri.exe <--this file
C:\WINDOWS\SYSTEM\NDSRV32R.exe <--this file
C:\WINDOWS\SYSTEM\msmc.exe <--this file
C:\PROGRAM FILES\BARGAIN BUDDY <--this folder
C:\Program Files\Internet Optimizer <--this folder

Restart normally and then ...

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 09 June 2004 - 01:53 AM

I can not believe how many items adaware found!! 430 bits and pieces, anyway here is the fresh log. thanks again for the assist

Logfile of HijackThis v1.96.0
Scan saved at 11:52:32 PM, on 06/08/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai...meInstaller.exe
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.yaho...v43/yacscom.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.15...tiveXImgCtl.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards....sie/msichat.ocx
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit..../winorbiter.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.hallofher...sses/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7907.7237268519
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {BAA165DA-1DAF-4F18-9A28-E0D2D3937A1F} (Wrapper Class) - http://webevents.bro...sionBrowser.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 04:31 AM

Hi,
Your log looks clean now ... good job!

I can not believe how many items adaware found

That's why I asked you if you were running SpyBot 1.3? As it should have removed much more than it did (in previous logs)

Have HijackThis "fix" the following: (then reboot)

R3 - Default URLSearchHook is missing

I would suggest adding some "Defense" to your system ...
See section: How To: Prevent this from happening again?
http://www.mvps.org/...02/unwanted.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 09 June 2004 - 04:22 PM

Well, you guys did it again. I think that all of the original problems are gone. I have a couple of related questions. At start up there are two items that run that stall the start up. I ctl/alt/delete and end them and then everything seems to run ok. The two items are "runonce" and "R9mvt". The second one I have to stop sometimes 3 or 4 times before it goes away. Any suggestions on what these are? I will watch the boards.

#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 05:35 PM

Hi,
I don't see anything in your log that match "R9mvt", the "runonce" is a valid MS (helper) file that runs another app.

Did this also occur when you went to Safe Mode?
If not then it's one of the Startup apps that's hanging ...

Create a StartupList log:
Run HijackThis, click the "Config" button
Click the "Misc Tools" button
Select both options "List minor ...", and "List empty ..."
Click the "Generate StartupList log" button
(generates "startuplist.txt") post the contents in your next post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 09 June 2004 - 08:08 PM

I did not have the stall while running in safe mode. As you suspected, it is in startup some where. I did not have the problem with the R9mvt this time, just the runonce. Here is the log you requested.

StartupList report, 06/09/2004, 5:52:38 PM
StartupList version: 1.52
Started from : C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
EnsoniqMixer = starter.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
mswspl =
SVAplayer = C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

fb0hxgu.exe = C:\WINDOWS\SYSTEM\fb0hxgu.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ccEvtMgr = "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
PopUpStopperProfessional = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

fb0hxgu.exe = C:\WINDOWS\SYSTEM\fb0hxgu.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf

[PerUser_Base] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf

[PerUserOldLinks] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf

[PerUser_MSBackup_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf

[MotownRecPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf

[{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\fpxprs16.inf,PerUserStub

[MmoptMusicaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[OlsAolPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf

[Shell3PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf

[Theme_Windows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[>chanbar] *
StubPath = c:\windows\RUNDLL.EXE setupx.dll,InstallHinfSection add2.chanbar.pui 128 c:\windows\options\cabs\oem_set.inf

[Chlen-us] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chlen-us.inf,InstallUser

[PerUser_Preptool] *
StubPath = rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUserIE

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44CC0112-AB51-22EF-BA32-20AA12E6115C}] *
StubPath = C:\WINDOWS\SYSTEM\msddhp.com

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 8/6/2004, 23:47:40)

[rename]
NUL=c:\program files\lycos\sidesearch\sidesearch13218.dll
NUL=c:\program files\lycos\sidesearch\temp
NUL=c:\program files\httper\httper.ini
NUL=c:\program files\httper\unwise.exe
NUL=c:\windows\system\cfg.dat
NUL=c:\windows\tinybar.exe
NUL=c:\windows\downloaded program files\istactivex.inf
NUL=c:\windows\gatorhdplugin.log
NUL=c:\windows\gatorpdpplugin.log
NUL=c:\windows\gatorhdplugin.log-old.log
NUL=c:\windows\gatorfiledrop.log
NUL=c:\windows\gatorsilentsetup.log
NUL=c:\windows\downloaded program files\hdplugin1015.inf
NUL=c:\windows\downloaded program files\hdplugin1015.dll
NUL=c:\windows\downloaded program files\hdplugin1014.inf
NUL=c:\windows\inf\twtini.inf
NUL=c:\windows\inf\payload.inf
NUL=c:\windows\temp\twtini.inf
NUL=c:\windows\temp\dummy.htm
NUL=c:\windows\temp\biini.inf
NUL=c:\windows\temp\binkw32.dll
NUL=c:\windows\system\2ndsrch.dll
NUL=c:\program files\stc\yahoo.exe
NUL=c:\program files\stc\matrix_01.exe
NUL=c:\program files\stc\bundleouter2601031121.exe
NUL=c:\windows\desktop\second thought.lnk
NUL=c:\windows\system\rdk.xml
NUL=c:\windows\system\newrdk.xml\data.xml
NUL=c:\windows\system\keyhost.htm
NUL=c:\program files\clearsearch\csieinst.dll
NUL=c:\windows\mwsvm.ocx
NUL=c:\windows\mwsvm.dat
NUL=c:\windows\system\swlad2.dll
NUL=c:\windows\system\swlad1.dll
NUL=c:\windows\system\popoops2.dll
NUL=c:\windows\system\popoops.dll
NUL=c:\program files\addestroyer\addestroyer.exe
NUL=c:\program files\addestroyer\addestroyer.wav
NUL=c:\program files\dynamic toolbar\snhelper
NUL=c:\program files\dynamic toolbar\2020search2
NUL=c:\windows\favorites\i-lookup favorites\i-lookup.url
NUL=c:\windows\favorites\i-lookup favorites\private for sale.url
NUL=c:\windows\favorites\i-lookup favorites\room mate menu.url
NUL=c:\windows\favorites\i-lookup favorites\for sale by owner.url
NUL=c:\windows\favorites\i-lookup favorites\foreclosure free search.url
NUL=c:\windows\favorites\i-lookup favorites\move out.url
NUL=c:\windows\favorites\i-lookup favorites\tel 3.url
NUL=c:\windows\favorites\i-lookup favorites\zaptel.url
NUL=c:\windows\favorites\i-lookup favorites\i connect here.url
NUL=c:\windows\favorites\i-lookup favorites\phone shark.url
NUL=c:\windows\favorites\i-lookup favorites\black planet love.url
NUL=c:\windows\favorites\i-lookup favorites\gay.com.url
NUL=c:\windows\favorites\i-lookup favorites\dating direct.url
NUL=c:\windows\favorites\i-lookup favorites\planet out.url
NUL=c:\windows\favorites\i-lookup favorites\college recruiter.url
NUL=c:\windows\favorites\i-lookup favorites\hot jobs.url
NUL=c:\windows\favorites\i-lookup favorites\life-answers.url
NUL=c:\windows\favorites\i-lookup favorites\email psychic.url
NUL=c:\windows\favorites\i-lookup favorites\the online psychic.url
NUL=c:\windows\favorites\i-lookup favorites\roommate.url
NUL=c:\windows\favorites\i-lookup favorites\music 123.url
NUL=c:\windows\favorites\lifestyle\accessories.url
NUL=c:\windows\favorites\lifestyle\women.url
NUL=c:\windows\favorites\lifestyle\wine.url
NUL=c:\windows\favorites\lifestyle\self help.url
NUL=c:\windows\favorites\lifestyle\pets.url
NUL=c:\windows\favorites\lifestyle\match making.url
NUL=c:\windows\favorites\lifestyle\magazines.url
NUL=c:\windows\favorites\lifestyle\kids.url
NUL=c:\windows\favorites\lifestyle\ebooks.url
NUL=c:\windows\favorites\lifestyle\community.url
NUL=c:\windows\favorites\lifestyle\books.url
NUL=c:\windows\favorites\lifestyle\astrology.url
NUL=c:\windows\favorites\lifestyle\art.url
NUL=c:\windows\favorites\lifestyle\home and garden.url
NUL=c:\windows\favorites\lifestyle\health and beauty.url
NUL=c:\windows\favorites\cool stuff\education.url
NUL=c:\windows\favorites\cool stuff\services.url
NUL=c:\windows\favorites\cool stuff\homework.url
NUL=c:\windows\favorites\cool stuff\school essays.url
NUL=c:\windows\favorites\cool stuff\free services.url
NUL=c:\windows\favorites\cool stuff\free homepage.url
NUL=c:\windows\favorites\cool stuff\free email.url
NUL=c:\windows\favorites\cool stuff\classifieds.url
NUL=c:\windows\favorites\computers\auction.url
NUL=c:\windows\favorites\computers\web hosting.url
NUL=c:\windows\favorites\computers\web design.url
NUL=c:\windows\favorites\computers\software.url
NUL=c:\windows\favorites\computers\laptops.url
NUL=c:\windows\favorites\computers\hardware.url
NUL=c:\windows\favorites\computers\domain names.url
NUL=c:\windows\favorites\computers\dedicated server.url
NUL=c:\windows\favorites\computers\computer stores.url
NUL=c:\windows\favorites\business\blackjack.url
NUL=c:\windows\favorites\business\printing.url
NUL=c:\windows\favorites\business\office.url
NUL=c:\windows\favorites\business\insurance.url
NUL=c:\windows\favorites\business\finance.url
NUL=c:\windows\favorites\business\credit cards.url
NUL=c:\windows\favorites\business\careers.url
NUL=c:\windows\favorites\business\business.url
NUL=c:\windows\favorites\business\banking.url
NUL=c:\windows\favorites\shopping\clothing\aparrel.url
NUL=c:\windows\favorites\shopping\electronics & stuff\electronics.url
NUL=c:\windows\favorites\shopping\electronics & stuff\cd now.url
NUL=c:\windows\favorites\shopping\toys.url
NUL=c:\windows\favorites\shopping\shopping.url
NUL=c:\windows\favorites\shopping\shoes.url
NUL=c:\windows\favorites\shopping\retail products.url
NUL=c:\windows\favorites\shopping\jewelry.url
NUL=c:\windows\favorites\shopping\gifts.url
NUL=c:\windows\favorites\shopping\flowers.url
NUL=c:\windows\favorites\shopping\cards.url
NUL=c:\windows\favorites\entertainment\b2b.url
NUL=c:\windows\favorites\entertainment\travel.url
NUL=c:\windows\favorites\entertainment\mp3.url
NUL=c:\windows\favorites\entertainment\games.url
NUL=c:\windows\favorites\entertainment\entertainment.url
NUL=c:\windows\favorites\entertainment\cars.url
NUL=c:\windows\favorites\links\search the web.url
NUL=c:\casino\golden palace casino\replacer.exe
NUL=c:\casino\golden palace casino\casino.exe
NUL=c:\casino\golden palace casino\http_client.exe
NUL=c:\casino\golden palace casino\data\lobby.dll
NUL=c:\unzipped\hijackthis\backup-20031012-100033-255.dll
NUL=c:\unzipped\hijackthis\backup-20031012-100033-879.dll
NUL=c:\unzipped\hijackthis[1]\backup-20040608-204745-940.dll
NUL=c:\unzipped\hijackthis[1]\backup-20040608-182440-305.dll
NUL=c:\unzipped\hijackthis[1]\backup-20040607-223657-613.dll
NUL=c:\unzipped\hijackthis[1]\backup-20040528-080206-887.dll
NUL=c:\unzipped\hijackthis[1]\backup-20040528-080205-740.dll
NUL=c:\unzipped\hijackthis[1]\backup-20040528-080205-742.dll
NUL=c:\unzipped\hijackthis[1]\backup-20030805-010757-479.dll
NUL=c:\recycled\dc21.exe
NUL=c:\recycled\dc20.exe
NUL=c:\recycled\dc19.exe
NUL=c:\recycled\dc18.exe
NUL=c:\recycled\dc16.dll
NUL=c:\recycled\dc13.ini
NUL=c:\recycled\dc12.dll
NUL=c:\recycled\dc11.exe
NUL=c:\recycled\dc9.exe
NUL=c:\recycled\dc8.exe
NUL=c:\recycled\dc6.exe
NUL=c:\recycled\dc23\actalert.exe
NUL=c:\recycled\dc23\optimize.exe
NUL=c:\recycled\dc22\bin2\apuc.dll
NUL=c:\recycled\dc22\bin2\bargains.exe
NUL=c:\recycled\dc1\slmss.exe
NUL=c:\program files\stc\clrschp070.exe
NUL=c:\program files\stc\slmss.exe
NUL=c:\program files\stc\bdl14108.exe
NUL=c:\program files\stc\stc.exe
NUL=c:\windows\bdl94126.exe
NUL=c:\windows\cs4p028.exe
NUL=c:\windows\0021-bdl94126.exe
NUL=c:\windows\pup.exe
NUL=c:\windows\vurls.bin
NUL=c:\windows\urls.bin
NUL=c:\windows\mwsvm.bin
NUL=c:\windows\infamous.exe
NUL=c:\windows\nem216.dll
NUL=c:\windows\2_0_1browserhelper2.dll
NUL=c:\windows\bi.ini
NUL=c:\windows\bi.dll
NUL=c:\windows\preinstt.exe
NUL=c:\windows\profiles\loretta\cookies\loretta@questionmarket[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[5].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@realmedia[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@2o7[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@adrevolver[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@www.1stblaze[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[11].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@zedo[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@dbbsrv[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@hypercount[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@13527300[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[10].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@ru4[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@stat.onestat[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@ads.enliven[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@ru4[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@2o7[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@tripod[4].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@hypercount[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[8].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@zedo[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@as1.falkag[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@overture[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@revenue[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[7].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@zedo[5].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@questionmarket[4].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@tmpad[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@questionmarket[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@www.eyeblaster-ds[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@overture[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@tripod[5].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[6].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@zedo[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@pointroll[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@hypercount[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@ads.adsag[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@findwhat[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@tripod[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[4].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@overture[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@excite[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@questionmarket[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@tripod[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@internetwasher[1].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@questionmarket[2].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@www.eyeblaster-ds[2].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@kliks[2].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@excite[2].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@ads.enliven[1].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@cgi-bin[3].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@cgi-bin[4].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@cgi-bin[2].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@cgi-bin[1].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@2o7[1].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@cgi-bin[5].txt
NUL=c:\windows\profiles\loretta\cookies\anyuser@tripod[1].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@cgi-bin[3].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@mediatrack.revenue[2].txt
NUL=c:\windows\profiles\loretta\cookies\loretta@2o7[4].txt
NUL=c:\windows\profiles\loretta\application data\main_01.gif
NUL=c:\windows\profiles\phillip\cookies\phillip@tripod[1].txt
NUL=c:\windows\profiles\phillip\cookies\phillip@peel[1].txt
NUL=c:\windows\profiles\phillip\cookies\anyuser@realmedia[1].txt
NUL=c:\windows\profiles\phillip\cookies\phil@stats.superstats[2].txt
NUL=c:\windows\profiles\phillip\cookies\phil@cgi-bin[2].txt
NUL=c:\windows\profiles\phillip\cookies\phil@ads.enliven[1].txt
NUL=c:\windows\cookies\anyuser@0[4].txt
NUL=c:\windows\cookies\anyuser@edge.ru4[4].txt
NUL=c:\windows\cookies\anyuser@bilbo.counted[2].txt
NUL=c:\windows\cookies\anyuser@server.iad.liveperson[2].txt
NUL=c:\windows\cookies\anyuser@realmedia[3].txt
NUL=c:\windows\cookies\anyuser@web4.realtracker[1].txt
NUL=c:\windows\cookies\anyuser@0[2].txt
NUL=c:\windows\cookies\anyuser@adserver.trb[1].txt
NUL=c:\windows\cookies\anyuser@internetfuel[2].txt
NUL=c:\windows\cookies\anyuser@hc2.humanclick[1].txt
NUL=c:\windows\cookies\anyuser@2o7[2].txt
NUL=c:\windows\cookies\anyuser@findwhat[2].txt
NUL=c:\windows\cookies\anyuser@trafficmp[2].txt
NUL=c:\windows\cookies\anyuser@maxserving[3].txt
NUL=c:\windows\cookies\anyuser@atdmt[2].txt
NUL=c:\windows\cookies\anyuser@casalemedia[3].txt
NUL=c:\windows\cookies\anyuser@statcounter[1].txt
NUL=c:\windows\cookies\anyuser@domainsponsor[2].txt
NUL=c:\windows\cookies\anyuser@landing.domainsponsor[1].txt
NUL=c:\windows\cookies\anyuser@as-us.falkag[2].txt
NUL=c:\windows\cookies\anyuser@questionmarket[2].txt
NUL=c:\windows\cookies\anyuser@centrport[1].txt
NUL=c:\windows\cookies\anyuser@overture[3].txt
NUL=c:\windows\cookies\anyuser@mediaplex[1].txt
NUL=c:\windows\cookies\anyuser@bluestreak[2].txt
NUL=c:\windows\cookies\anyuser@tmpad[4].txt
NUL=c:\windows\cookies\anyuser@c.porngraph[1].txt
NUL=c:\windows\cookies\anyuser@casalemedia[2].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[9].txt
NUL=c:\windows\cookies\anyuser@revenue[3].txt
NUL=c:\windows\cookies\anyuser@0[3].txt
NUL=c:\windows\cookies\anyuser@ads.rampidads[3].txt
NUL=c:\windows\cookies\anyuser@ads.adsag[2].txt
NUL=c:\windows\cookies\anyuser@247realmedia[1].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[8].txt
NUL=c:\windows\cookies\anyuser@tmpad[2].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[11].txt
NUL=c:\windows\cookies\anyuser@zedo[4].txt
NUL=c:\windows\cookies\anyuser@zedo[1].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[6].txt
NUL=c:\windows\cookies\anyuser@realmedia[4].txt
NUL=c:\windows\cookies\anyuser@z1.adserver[1].txt
NUL=c:\windows\cookies\anyuser@questionmarket[3].txt
NUL=c:\windows\cookies\anyuser@adrevolver[1].txt
NUL=c:\windows\cookies\anyuser@maintenance.nozonedata[2].txt
NUL=c:\windows\cookies\anyuser@netshelter.adtrix[3].txt
NUL=c:\windows\cookies\anyuser@edge.ru4[2].txt
NUL=c:\windows\cookies\anyuser@081[1].txt
NUL=c:\windows\cookies\anyuser@overture[2].txt
NUL=c:\windows\cookies\anyuser@ad-logics[1].txt
NUL=c:\windows\cookies\anyuser@findwhat[1].txt
NUL=c:\windows\cookies\anyuser@ads.track[2].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[5].txt
NUL=c:\windows\cookies\anyuser@peel[3].txt
NUL=c:\windows\cookies\anyuser@maxserving[1].txt
NUL=c:\windows\cookies\anyuser@revenue[2].txt
NUL=c:\windows\cookies\anyuser@zedo[2].txt
NUL=c:\windows\cookies\anyuser@questionmarket[1].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[3].txt
NUL=c:\windows\cookies\anyuser@edge.ru4[1].txt
NUL=c:\windows\cookies\anyuser@realmedia[2].txt
NUL=c:\windows\cookies\anyuser@2o7[1].txt
NUL=c:\windows\cookies\anyuser@2o7[3].txt
NUL=c:\windows\cookies\anyuser@revenue[1].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[2].txt
NUL=c:\windows\cookies\anyuser@ads.rampidads[1].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[4].txt
NUL=c:\windows\cookies\anyuser@peel[2].txt
NUL=c:\windows\cookies\anyuser@netshelter.adtrix[2].txt
NUL=c:\windows\cookies\anyuser@cgi-bin[1].txt
NUL=c:\windows\cookies\anyuser@realmedia[1].txt
NUL=c:\windows\cookies\anyuser@tmpad[1].txt
NUL=c:\windows\downloaded program files\install035.exe
NUL=c:\windows\temp\update_1.exe
NUL=c:\windows\temp\optimize.exe
NUL=c:\windows\temp\ps_install-mt.exe
NUL=c:\windows\temp\rs.exe
NUL=c:\windows\temp\twaintec.ini
NUL=c:\windows\temp\twtini.cab
NUL=c:\windows\temp\bi.ini
NUL=c:\windows\temp\biini.cab
NUL=c:\windows\temp\wnk2020.exe
NUL=c:\windows\temp\istsv_.exe
NUL=c:\windows\temp\wnk2162.exe
NUL=c:\windows\temp\wnka0b6.exe
NUL=c:\windows\temp\wnkd215.exe
NUL=c:\windows\temp\btiein.dll
NUL=c:\windows\temp\sbinstall.exe
NUL=c:\windows\temp\bb.exe
NUL=c:\windows\temp\clrschp010.exe
NUL=c:\windows\temp\shortcuts.txt
NUL=c:\windows\temp\thi392.tmp\polall1t.exe
NUL=c:\windows\temp\thi392.tmp\preinstt.exe
NUL=c:\windows\temp\thi392.tmp\twaintec.dll
NUL=c:\windows\temp\thi392.tmp\twaintec.cab
NUL=c:\windows\temp\thi31de.tmp\polall1t.exe
NUL=c:\windows\temp\thi31de.tmp\preinstt.exe
NUL=c:\windows\temp\thi31de.tmp\twaintec.dll
NUL=c:\windows\temp\thi31de.tmp\twaintec.cab
NUL=c:\windows\temp\thi2a13.tmp\preinstt.exe
NUL=c:\windows\temp\thi2a13.tmp\twaintec.dll
NUL=c:\windows\temp\thi2a13.tmp\twaintec.cab
NUL=c:\windows\system\jao.dll
NUL=c:\windows\system\regsvrac32.exe
NUL=c:\windows\system\installer.exe
NUL=c:\windows\system\idleui.dll
NUL=c:\windows\system\mt-uninstaller.exe
NUL=c:\0021-bdl94126.exe
NUL=c:\cs4p028.exe
NUL=c:\windows\system\mmscrpts.exe
NUL=c:\windows\downloaded program files\bridge.dll
NUL=c:\windows\downloaded program files\conflict.2\hdplugin1015.dll
NUL=c:\windows\downloaded program files\hdplugin1014.dll
NUL=c:\windows\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
a, sans-serif" size="-2">
<font color="#ff0000">&gt;</font><A href="http://www.beckett.c...asp?a=1928&s=1" target="_top"><B>MORE</B></A></FONT>
<!-- End Article -->
<HR width="50%" align="center">
<!--- Article --->
<!------------------------------------------------------------------------------>
<!------------------------------------------------------------------------------>
<FONT face=

--------------------------------------------------

C:\CONFIG.SYS listing:

Files=50
Buffers=30
REM [Header]
REM == PISETUP Begin Delete ==
REM == PISETUP End Delete ==
REM [CD-ROM Drive]
REM [Miscellaneous]
REM [Display]
DEVICEHIGH=C:\WINDOWS\COMMAND\DRVSPACE.SYS /MOVE

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE
C:\SBPCI\APINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\SYSTEM\regsvrac32.dll - {D537A3D0-8C07-4D62-953F-162207F5090D}
(no name) - C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.DLL - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://c:\windows\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a224.g.akamai...meInstaller.exe

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
CODEBASE = http://officeupdate....nloads/outc.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YACSCOM.DLL
CODEBASE = http://cs8.chat.yaho...v43/yacscom.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\PWACTIVEXIMGCTL.DLL
CODEBASE = http://216.249.25.15...tiveXImgCtl.CAB

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai...uditControl.cab

[ichat xchat Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MSICHAT.OCX
CODEBASE = http://tank.wizards....sie/msichat.ocx

[Communities.com Passport]
InProcServer32 = C:\WINDOWS\SYSTEM\CPACTIVEX.DLL
CODEBASE = http://cartoonorbit..../winorbiter.cab

[TDServer Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
CODEBASE = http://www.truedoc.c...ex/tdserver.cab

[CFForm Runtime]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://www.hallofher...sses/CFJava.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...7907.7237268519

[{26CBF141-7D0F-46E1-AA06-718958B6E4D2}]
CODEBASE = http://download.ebay.../US/install.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Wrapper Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\VISIONBROWSER.DLL
CODEBASE = http://webevents.bro...sionBrowser.CAB

[EPSImageControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EPSCONTROL.DLL
CODEBASE = http://tools.ebayimg...ol_v1-0-3-0.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://us.dl1.yimg.c...s/yinst0401.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: c:\windows\SYSTEM\rnr20.dll
Protocol #1: c:\windows\SYSTEM\msafd.dll
Protocol #2: c:\windows\SYSTEM\msafd.dll
Protocol #3: c:\windows\SYSTEM\msafd.dll
Protocol #4: c:\windows\SYSTEM\rsvpsp.dll
Protocol #5: c:\windows\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: c:\windows\SYSTEM\vrtwd.386
VFIXD: c:\windows\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
CyberKrn: C:\PROGRA~1\CYBERM~1\CYBERKRN.VXD
VSDATA95: vsdata95.vxd
SYMTDI: SYMTDI.VXD
NDISWAN: ndiswan.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 44,674 bytes
Report generated in 0.490 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 09:01 PM

Hi,
Looks like I found your culprit ......

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

fb0hxgu.exe = C:\WINDOWS\SYSTEM\fb0hxgu.exe

Plus you have another culprit here:

Enumerating Browser Helper Objects:
(no name) - C:\WINDOWS\SYSTEM\regsvrac32.dll - {D537A3D0-8C07-4D62-953F-162207F5090D}

regsvrac32.dll = Adware.Margoc

Restart in Safe Mode and delete the following:

C:\WINDOWS\SYSTEM\fb0hxgu.exe <--this file
C:\WINDOWS\SYSTEM\regsvrac32.dll <--this file

Restart normally ...

Note: NAV should have picked that up?

How to configure Norton AntiVirus to scan all files
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#12 thrasher4811

thrasher4811

    Member

  • Full Member
  • Pip
  • 39 posts

Posted 09 June 2004 - 09:44 PM

Well, it appears to have done the trick. The pc started without a glitch. Thanks again. You're super.

PS Where do you learn all of this stuff??

#13 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 10 June 2004 - 04:44 AM

Hi,

Well, it appears to have done the trick

That's great! ... glad to see that solved your problem.

Where do you learn all of this stuff

I've been troubleshooting PC's for years ... :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button