Jump to content


Photo

New computer user with a hijacked homepage


  • Please log in to reply
15 replies to this topic

#1 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 02:19 AM

Read your FAQ and you will find my hijackthis log below. Can someone please help.

Thanx in advance for your support

Logfile of HijackThis v1.97.7
Scan saved at 12:50:18 AM, on 6/9/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINNT\system32\regsvc.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\explorer.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\mobsync.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINNT\mstasks2.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINNT\system32\wuauclt.exe
E:\WINNT\System32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet....arch/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSL Connection Tool] E:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [System Service] E:\WINNT\system32\msrexe.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] E:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ist service uninstall] E:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [Yahoo! Pager] E:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F82-00104B107C96}

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 09 June 2004 - 06:39 AM

Hi,
Download CWShredder v1.58.0
http://www.spywarein.../cwshredder.zip
Unzip and run (double-click) CWShredder.exe, click "Fix->"
When finished ... reboot, after restart update and run SpyBot and reboot.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 09 June 2004 - 10:49 PM

Thanx winhelp. downloaded the cwshredder,found a couple of problems and clicked fix, rebooted the computer and still being redirected, just not getting bombarded with the porn.
Ran spybot again and keep getting "common Hijacker" & "DSO exploit".
click fix and keeps coming back.

copy of curren log

Logfile of HijackThis v1.97.7
Scan saved at 9:31:35 PM, on 6/9/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINNT\system32\regsvc.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\explorer.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINNT\mstasks2.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\MSN\MSNIA\dslmon.exe
E:\WINNT\System32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet....arch/index.html
F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSL Connection Tool] E:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] E:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ist service uninstall] E:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F82-00104B107C96}

need seriou help before i kick the shii out of this thin...

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 10 June 2004 - 05:59 AM

Hi,

Ran spybot again and keep getting "common Hijacker" & "DSO exploit".

As long as you have all the patches from Windows Update installed, you can "ignore" the "DSO exploit".


First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.
(the above is for XP, but you get the idea)

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O4 - HKLM\..\Run: [ist service uninstall] E:\WINNT\mstasks2.exe /u
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F82-00104B107C96}


Then reboot, on restart, restart in Safe Mode (see "How To" below)

Open Windows Explorer locate and delete the following:

E:\WINNT\mstasks2.exe <--this file
E:\WINNT\System\user32.exe <--this file

Restart normally, run SpyBot and reboot and then post a fresh log ...
Note: your log (now) appears incomplete (missing the center section?)
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 10 June 2004 - 07:27 PM

Thanx, followed your instructions. only thing was that I could not delete file e:\winnt\system\user32.ex?

Seem to have some of my speed back, still have home page being redirected. Am I skipping a step somewhere?

Logfile of HijackThis v1.97.7
Scan saved at 6:21:48 PM, on 6/10/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINNT\system32\regsvc.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\explorer.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\MSN\MSNIA\dslmon.exe
E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINNT\System32\cidaemon.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet....arch/index.html
F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSL Connection Tool] E:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] E:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

This log from hijack this seems shorter than the very first log i posted..

#6 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 10 June 2004 - 07:29 PM

also, spybot shows the same files to quarintine "common hijacker"?

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 10 June 2004 - 07:49 PM

Hi,
Restart in Safe Mode
Bring up the Task Manager (Ctrl-Alt-Del)
Highlight user32.exe select: End Process

Open Windows Explorer and delete: E:\WINNT\System\user32.exe

Have HijackThis "fix" the following:

F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com

Let me know if you were able to complete the above ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#8 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 10 June 2004 - 10:16 PM

The file user32.exe is not listed in the task manager.?

#9 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 11 June 2004 - 06:10 AM

Hi,

The file user32.exe is not listed in the task manager

Were you able to delete the file? (this time)
If not was there any kind of error message or prompt?

Otherwise try this:

Have HijackThis "fix" the following:

F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O1 - Hosts: 213.159.117.235 auto.search.msn.com


Then close HijackThis but do not reboot yet, proceed with the below:

Download: KillBox
http://www.downloads...org/KillBox.zip
Unzip and run (double-click) killbox.exe

In the "Paste Full Path of File to Delete" box, copy and paste this entry:

E:\WINNT\System\user32.exe

Next: click on the "Action" menu (up top) and select: "Delete on Reboot".
In the window that opens up, click on the File menu and select: "Add File".
The "E:\WINNT\System\user32.exe" entry should show up in the window.

In the same window select the "Action" menu and select "Process and Reboot".
You'll be prompted to reboot, do so.

Rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#10 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 13 June 2004 - 07:22 PM

went through the above steps. got message " Detete Failed" this file could not be deleted.?

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 13 June 2004 - 07:46 PM

Hi,
Restart in Safe Mode and run CWShredder, then try the same method (KillBox) in Safe Mode, including removing the same lines with HijackThis. If you are still unable to delete the file, restart normally and post a fresh log and a Startup list.

Create a StartupList log:
Run HijackThis, click the "Config" button
Click the "Misc Tools" button
Select both options "List minor ...", and "List empty ..."
Click the "Generate StartupList log" button
(generates "startuplist.txt")
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#12 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 14 June 2004 - 08:44 PM

followed above, still unable to delete file..
StartupList report, 6/14/2004, 7:41:50 PM
StartupList version: 1.52
Started from : C:\unzipped\hijackthis\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\explorer.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\MSN\MSNIA\dslmon.exe
E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINNT\System32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[E:\Documents and Settings\George Clark\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RealTray = E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
DSL Connection Tool = E:\Program Files\MSN\MSNIA\dslmon.exe
MMTray = E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
Microsoft Works Update Detection = E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Synchronization Manager = mobsync.exe /logon

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = E:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection E:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection E:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection E:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from E:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from E:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe E:\WINNT\System\user32.exe
SCRNSAVE.EXE=E:\WINNT\System32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

E:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
E:\WINNT\Explorer\Explorer.exe: not present
E:\WINNT\System\Explorer.exe: not present
E:\WINNT\System32\Explorer.exe: not present
E:\WINNT\Command\Explorer.exe: not present
E:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in E:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - E:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = E:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: E:\WINNT\System32\rnr20.dll
NameSpace #2: E:\WINNT\System32\winrnr.dll
Protocol #1: E:\WINNT\system32\msafd.dll
Protocol #2: E:\WINNT\system32\msafd.dll
Protocol #3: E:\WINNT\system32\msafd.dll
Protocol #4: E:\WINNT\system32\rsvpsp.dll
Protocol #5: E:\WINNT\system32\rsvpsp.dll
Protocol #6: E:\WINNT\system32\msafd.dll
Protocol #7: E:\WINNT\system32\msafd.dll
Protocol #8: E:\WINNT\system32\msafd.dll
Protocol #9: E:\WINNT\system32\msafd.dll
Protocol #10: E:\WINNT\system32\msafd.dll
Protocol #11: E:\WINNT\system32\msafd.dll
Protocol #12: E:\WINNT\system32\msafd.dll
Protocol #13: E:\WINNT\system32\msafd.dll
Protocol #14: E:\WINNT\system32\msafd.dll
Protocol #15: E:\WINNT\system32\msafd.dll
Protocol #16: E:\WINNT\system32\msafd.dll
Protocol #17: E:\WINNT\system32\msafd.dll
Protocol #18: E:\WINNT\system32\msafd.dll
Protocol #19: E:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\services.exe (manual start)
AmosNT: System32\DRIVERS\amosnt.sys (autostart)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
basic2: System32\DRIVERS\basic2.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: E:\WINNT\System32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Cnxtdiag: System32\DRIVERS\cnxtdiag.sys (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: E:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fallback: System32\DRIVERS\fallback.sys (autostart)
Fax Service: %systemroot%\system32\faxsvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Fsks: System32\DRIVERS\fsksnt.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
Service for AC'97 Driver (WDM): system32\drivers\ichaud.sys (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
K56: System32\DRIVERS\k56nt.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: E:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: E:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: E:\WINNT\system32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft MSN™ DSL 1000 Modem Driver: System32\DRIVERS\MsnDslLn.sys (manual start)
Microsoft MSN™ DSL 1000 Modem Interface Device Driver: System32\DRIVERS\MsnDslUs.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Rksample: System32\DRIVERS\rksample.sys (manual start)
Microsoft Legacy Modem Driver: System32\Drivers\RootMdm.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver: system32\DRIVERS\Rtlnic.sys (manual start)
Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoftFax: System32\DRIVERS\faxnt.sys (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
Tones: System32\DRIVERS\tonesnt.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
V124: System32\DRIVERS\v124nt.sys (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Network Driver: System32\DRIVERS\wandrv.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
WMDM PMSP Service: E:\WINNT\System32\mspmspsv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: E:\WINNT\system32\NETSHELL.dll
WebCheck: E:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 25,509 bytes
Report generated in 0.231 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#13 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 14 June 2004 - 08:46 PM

Logfile of HijackThis v1.97.7
Scan saved at 7:44:23 PM, on 6/14/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\explorer.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\MSN\MSNIA\dslmon.exe
E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\WINNT\system32\svchost.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINNT\System32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet....arch/index.html
F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O1 - Hosts file is located at: E:\WINNT\System32\drivers\etc\hosts
O1 - Hosts file is located at: E:\WINNT\System32\drivers\etc\hosts
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSL Connection Tool] E:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F82-00104B107C96}

#14 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 14 June 2004 - 10:27 PM

Hi,
Download: Process Viewer [freeware] WinNT/2K/XP/ME/95/98
http://www.xmlsp.com/pview/prcview.htm
Unzip but don't run it yet.

Download CWShredder v1.58.0
http://www.spywarein.../cwshredder.zip
Unzip and run (double-click) CWShredder.exe, click "Fix->" when finished ...

Restart in Safe Mode and then ...

Start | Run (type) regedit
Click Edit (up top), select: Find
(type) user32.exe, click Find Next

Highlight each instance found, right-click and select: Delete
Press "F3" to continue searching, repeat for each instance.
Repeat until you see the "completed" message, close Regedit.

Run PrcView
Highlight "user32.exe", right-click and select: Kill

Open Explorer and delete: E:\WINNT\System\user32.exe

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
O1 - Hosts file is located at: E:\WINNT\System32\drivers\etc\hosts
O1 - Hosts file is located at: E:\WINNT\System32\drivers\etc\hosts
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O18 - Protocol hijack: about - {53B95211-7D77-11D2-9F82-00104B107C96}


Run CWShredder again and restart normally rescan with HijackThis and post a fresh log. Also mention in your next post if any problems or steps failed.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#15 silk22

silk22

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 17 June 2004 - 08:54 PM

Followed above, but still could not delete user32 after opening explorer.
message "Access Denied, can not delete file, file may be in use..?

Logfile of HijackThis v1.97.7
Scan saved at 7:52:04 PM, on 6/17/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\cisvc.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\explorer.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\MSN\MSNIA\dslmon.exe
E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINNT\System32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet....arch/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: UserInit=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DSL Connection Tool] E:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] E:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#16 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 18 June 2004 - 06:40 AM

Hi,
Does "mmtask.dll" exist? Locate via Start > Search
Reference: http://www.pestpatro...fo/u/user32.asp

If so delete those 2 files in Safe Mode and have HijackThis "fix" the following:

F0 - system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe E:\WINNT\System\user32.exe
F2 - REG:system.ini: UserInit=


Or try:

Run (double-click) killbox.exe (in Safe Mode)

In the "Paste Full Path of File to Delete" box, copy and paste this entry:

E:\WINNT\System\user32.exe

Next: click on the "Action" menu (up top)and select: "Delete on Reboot".
In the window that opens up, click on the File menu and select: "Add File".
The "E:\WINNT\System\user32.exe" listing should show up in the window.

In the same window choose the "Action" menu and select "Process and Reboot".

Then repeat the process, this time adding: (if mmtask.dll exists)

mmtask.dll

Note: you will need to add the "path" (folder location)
[Example]
E:\WINNT\System\mmtask.dll

If that's successful you should have the two files listed.

When they are all there, in the same window choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button