simplejonny

hey palguy,
sheesh, i feel like this is a war or something!

okay, i ran fixagent, it fixed something.
when i ran home_missing it just repeatedly said "'Reg' is not recognized as an internal or external command, operable program or batch file." until i closed the window.

i got rid of the entries and booted into safe mode to delete the file.

here is my start dreck log
StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 12:15:30 (GMT -05:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 2)
Internet Explorer: 6.0.2800.1106
Logged in as Jonny at SIMPLEJONNY

»Registry
»Run Keys
»Current User
»Run
*TheQube=
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*SuperAdBlocker=C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
»RunOnce
»Default User
»Run
*internat.exe=internat.exe
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*Synchronization Manager=mobsync.exe /logon
*CriticalUpdate=C:\WINNT\System32\wucrtupd.exe -startup
*UpdReg=C:\WINNT\Updreg.exe
*PrinTray=C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
*LoadQM=loadqm.exe
*NeroCheck=C:\WINNT\system32\NeroCheck.exe
*NAV Agent=C:\PROGRA~1\NORTON~1\navapw32.exe
*DMASwitch=C:\Program Files\CyberLink\PowerDVD\CLDMA.EXE 1 1
*CamMonitor=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
*Share-to-Web Namespace Daemon=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
*IntelliType="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
*POINTER=point32.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*WordPerfect Office 1115=C:\Program Files\Common Files\Corel\Registration\EN\Registration.exe /title="WordPerfect Office 11" /date=040204 serial=WS11WTD-9999998-BHS
*NAV CfgWiz=C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINNT\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325}
*StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\System32\ie4uinit.exe
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Default_Page_URL=http://www.msn.com
*Local Page=C:\WINNT\System32\blank.htm
*Start Page=http://www.google.com
*Window Title=Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
*CustomizeSearch=http://ie.search.msn.com
+SearchUrl
*provider=yaho
»Default User
*Default_Search_URL=http://ie.search.msn.com
*Search Bar=http://s-redirect.com/?a=2&b=hc
*Search Page=http://s-redirect.com/?a=2&b=hc
*SearchAssistant=http://s-redirect.com/?a=2&b=hc
+SearchUrl
*SearchUrl=http://s-redirect.com/?a=2&b=hc
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Bar=res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
*Start Page=http://www.google.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.google.com
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E}
`InprocServer32=C:\WINNT\system32\NETSHELL.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINNT\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LiveJournal.lnk
»Default User
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\winnt\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\winnt\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`lh %SystemRoot%\system32\nw16
`lh %SystemRoot%\system32\vwipxspx
*C:\winnt\wininit.ini
`[Rename]
`NUL=C:\WINNT\System32\bdeinsta2.dll
`C:\PROGRA~1\EXECUT~1\DISKEE~2\tl32v20.dll=C:\PROGRA~1\EXECUT~1\DISKEE~2\TL32V2~1.DLL
*C:\winnt\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\winnt\System32\win.com
*C:\winnt\explorer.exe
»%PATH% Companion Files
+C:\winnt\System32\dfrgfat.exe
*C:\Program Files\Executive Software\DiskeeperLite\DfrgFAT.exe
+C:\winnt\System32\dfrgntfs.exe
*C:\Program Files\Executive Software\DiskeeperLite\DfrgNTFS.exe
+C:\winnt\System32\notepad.exe
*C:\winnt\notepad.exe
+C:\winnt\System32\taskman.exe
*C:\winnt\TASKMAN.EXE
+C:\winnt\System32\winhlp32.exe
*C:\winnt\winhlp32.exe
»System/Drivers
»Running Processes
+0=<idle>
+8=<system>
+152=\SystemRoot\System32\smss.exe
+176=\??\C:\winnt\system32\csrss.exe
+196=\??\C:\winnt\system32\winlogon.exe
+224=C:\winnt\system32\services.exe
+236=C:\winnt\system32\lsass.exe
+404=C:\winnt\system32\svchost.exe
+444=C:\WINNT\system32\LEXBCES.EXE
+472=C:\winnt\system32\spoolsv.exe
+500=C:\WINNT\system32\LEXPPS.EXE
+536=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+556=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+584=C:\WINNT\System32\CTsvcCDA.EXE
+596=C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
+612=C:\WINNT\System32\svchost.exe
+628=C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
+748=C:\winnt\system32\regsvc.exe
+760=C:\winnt\system32\MSTask.exe
+788=C:\winnt\system32\stisvc.exe
+880=C:\winnt\System32\WBEM\WinMgmt.exe
+716=C:\WINNT\System32\mspmspsv.exe
+972=C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
+1164=C:\winnt\Explorer.EXE
+1184=C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
+1420=C:\winnt\System32\devldr32.exe
+1008=C:\winnt\loadqm.exe
+1016=C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
+1412=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
+984=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
+1396=C:\Program Files\Microsoft Hardware\Mouse\point32.exe
+1380=C:\Program Files\Common Files\Real\Update_OB\realsched.exe
+352=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+1372=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+1436=C:\Program Files\MSN Messenger\MsnMsgr.Exe
+1484=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
+1536=C:\Program Files\LiveJournal\LiveJournal.exe
+1488=C:\winnt\system32\NOTEPAD.EXE
+1112=C:\Documents and Settings\Administrator\Desktop\HJT\sd\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User


neither of the other two files showed up in the regsearch.

when i ran hijack this again one of the offending entries had reappeared, so i deleted it. i realize now that maybe i shouldn't have, as it might affect figuring things out, but i had already done it before i thought... so sorry if that is a problem.

here is the new log.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 12:20:59 PM, on 01/03/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\LiveJournal\LiveJournal.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.livejournal.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINNT\System32\wucrtupd.exe -startup
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [DMASwitch] C:\Program Files\CyberLink\PowerDVD\CLDMA.EXE 1 1
O4 - HKLM\..\Run: [WordPerfect Office 1115] C:\Program Files\Common Files\Corel\Registration\EN\Registration.exe /title="WordPerfect Office 11" /date=040204 serial=WS11WTD-9999998-BHS
O4 - Startup: LiveJournal.lnk = C:\Program Files\LiveJournal\LiveJournal.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yaho...yiebio4023.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

thanks so much!