|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-05-2006, 07:23 AM
|
#21 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Hi,
Please download SilentRunners.vbs (299kb) - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. ------------------------ Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post that log here as well, please. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-05-2006, 09:58 PM
|
#22 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 98
OS: windows vista
|
Dreck / startup programs logs
Hi,
Thank you so much for the help and your patience just wanted to let you know it is aprreciated greatly. the logs "Silent Runners.vbs", revision 48, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATI Launchpad" = (empty string) "systemtray" = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "systemtray" = (empty string) "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "OEMRUNONCE" = "c:\windows\options\cabs\oemrun.exe" [MS] "Hot Key Kbd 9910 Daemon" = "SK9910DM.EXE" ["Silitek Corporation"] "AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"] "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "GoBack Polling Service" = "C:\Program Files\Roxio\GoBack\GBPoll.exe" ["Roxio, Inc."] "ATISmart" = "C:\WINDOWS\SYSTEM\ati2s9ag.exe" [" "] "StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS] "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS] "KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS] "*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS] PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS] PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS] {44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS] OlsAolPerUser\(Default) = "Windows Setup - America Online" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension" -> {HKLM...CLSID} = "Adaptec Directcd Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"] "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "My Bluetooth Places" \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BTNEIGHBORHOOD.DLL" ["Broadcom Corporation."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] GoBack\(Default) = "{6809e580-a3a7-11d1-9a00-00a0c945b006}" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] INFECTION WARNING! "shell=explorer.exe ibm00003.exe" [MS], [file not found] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "ISP signup reminder 1" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /s /1" [MS] "lily *****all anal sucker-3" -> launches: "C:\TEMP\Temp2\FAV\lily *****all anal sucker-3.rm" [file not found] "lily suspended intruder-2" -> launches: "C:\TEMP\Temp2\FAV\lily suspended intruder-2.rm" [file not found] "nikki deep doggy1" -> launches: "C:\TEMP\Temp2\FAV\nikki deep doggy1.rm" [file not found] "nikki violater5" -> launches: "C:\TEMP\Temp2\FAV\nikki violater5.rm" [file not found] "scotti nipple suck 02" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 02.rm" [file not found] "scotti nipple suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 03.rm" [file not found] "scotti ***** suck" -> launches: "C:\TEMP\Temp2\FAV\scotti ***** suck.rm" [file not found] "scotti violate and suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti violate and suck 03.rm" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://gateway.yahoo.com [Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome" Missing lines (compared with English-language version): [Strings]: 2 lines HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "blank*" = "http://66.40.16.201/lng/" [file not found] HOSTS file ---------- C:\WINDOWS\HOSTS maps: 13 domain names to IP addresses, 12 of the IP addresses are *not* localhost! Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Bluetooth Printer Port\Driver = "bthcrp98.dll" ["Broadcom Corporation."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 27 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 14 seconds. ---------- (total run time: 65 seconds) the Dreck log; StartDreck (build 2.1.7 public stable) - 2006-10-05 @ 23:58:31 (GMT -04:00) Platform: Windows ME (Win 4.90.3000 ) Internet Explorer: 6.0.2800.1106 Logged in as default at S0023150099 »Registry »Run Keys »Current User »Run *ATI Launchpad= *systemtray= »RunOnce »Default User »Run *ATI Launchpad= *systemtray= »RunOnce »Local Machine »Run *TaskMonitor=C:\WINDOWS\taskmon.exe *systemtray= *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme *OEMRUNONCE=c:\windows\options\cabs\oemrun.exe *Hot Key Kbd 9910 Daemon=SK9910DM.EXE *AtiPTA=atiptaxx.exe *WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun +OptionalComponents +MSFS +MAPI +MAPI »RunOnce »RunServices *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme *GoBack Polling Service=C:\Program Files\Roxio\GoBack\GBPoll.exe *ATISmart=C:\WINDOWS\SYSTEM\ati2s9ag.exe *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE *KB891711=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE *KB918547=C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE **StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %* +.htm *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome +.html *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome +.js *JSFile=C:\WINDOWS\WScript.exe "%1" %* +.jse *JSEFile=C:\WINDOWS\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=C:\WINDOWS\NOTEPAD.EXE %1 +.vbs *VBSFile=C:\WINDOWS\WScript.exe "%1" %* +.vbe *VBEFile=C:\WINDOWS\WScript.exe "%1" %* +.wsh *WSHFile=C:\WINDOWS\WScript.exe "%1" %* +.wsf *WSFFile=C:\WINDOWS\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Windows Setup - Applets/AppletsPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf +Windows Setup - FAT32 Converter/PerUser_CVT_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf +Windows Setup - Fonts/FontsPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf +Windows Setup - Home Networking Wizard/PerUser_HNW_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf +PerUser_ICW_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Windows Movie Maker/PerUser_moviemaker *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf +MSN-Migration/>PerUser_MSN_Clean *StubPath=C:\WINDOWS\msnmgsr1.exe +Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06} *StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf +Windows Setup - System Information/PerUser_Msinfo *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf +Windows Setup - System Information/PerUser_Msinfo2 *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf +Windows Setup - Multimedia/MotownMmsysPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Multimedia/MotownAvivideoPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Messaging/PerUser_Base *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf +CDSAMPLE/SamplerPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf +Windows Setup - Shell/ShellPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf +Windows Setup - Color Schemes/Shell2PerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf +Windows Setup - Start Menu/PerUser_winbase_Links *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf +Windows Setup - Start Menu/PerUser_winapps_Links *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf +Windows Setup - Links Bar/PerUser_LinkBar_URLs *StubPath=C:\WINDOWS\COMMAND\sulfnbk.exe /L +Windows Setup - Telephony Support/TapiPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf +Windows Setup - Wordpad/PerUser_MSWordPad_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf +Windows Setup - More Applets/PerUserOldLinks *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Sound Schemes/MmoptRegisterPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - CD Player/PerUser_CDPlayer_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Online Services/OlsPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf +Windows Setup - The Microsoft Network/OlsMsnPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf +System Restore/PerUser_PCHealth *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Windows Setup - Paint/PerUser_Paint_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf +Windows Setup - Calculator/PerUser_Calc_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf +Windows Setup - DriveSpace/PerUser_dxxspace_Links *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf +Windows Setup - Accessibility/PerUser_Enable_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf +Windows Setup - Classic Games/PerUser_Wingames_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf +Windows Setup - Internet Games/PerUser_ZoneGame_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf +Windows Setup - Plus! Games/PerUser_PBGame_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf +MSN Messenger Service 2.2/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Windows Setup - Multimedia/MotownRecPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Volume Control/PerUser_Vol *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Multimedia/MotownMPlayPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Dial-Up Networking/PerUser_RNA_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf +Windows Setup - System Monitor/PerUser_Sysmon_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - System Meter/PerUser_Sysmeter_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Netwatch/PerUser_netwatch_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Character Map/PerUser_CharMap_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - HyperTerminal/PerUser_Onlinelnks_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Phone Dialer/PerUser_Dialer_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Clipboard Viewer/PerUser_ClipBrd_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf +Windows Setup - Sound Schemes/MmoptMusicaPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Sound Schemes/MmoptJunglePerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Sound Schemes/MmoptRobotzPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Sound Schemes/MmoptUtopiaPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015C} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95 +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} +Windows Setup - America Online/OlsAolPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - AT&T WorldNet Service/OlsAttPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - Prodigy Internet/OlsProdigyPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - Earthlink Internet/OlsEarthlinkPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - Shell Cursors/Shell3PerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf +Windows Setup -- Themes/Theme_MoreWindows_PerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf +Windows Setup - Preptool/PerUser_Preptool *StubPath=rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF +CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} *StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl +Internet Explorer 6 SP1/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=C:\WINDOWS\SYSTEM\ie4uinit.exe +>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP »Browser Helper Objects (LM) *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL »Internet Explorer »Current User *Default_Search_URL=http://ie.search.msn.com *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.rr.com/flash/index.cfm *CustomizeSearch=http://ie.search.msn.com +SearchUrl *Provider= *=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com »Default User *Default_Search_URL=http://ie.search.msn.com *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.rr.com/flash/index.cfm *CustomizeSearch=http://ie.search.msn.com +SearchUrl *Provider= *=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com »Local Machine *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.rr.com/html/index.cfm?p=16&m=43 *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) »Special NT Values »Current User *Load= *Run= *Programs= *SHELL= »Default User *Load= *Run= *Programs= *SHELL= »Local Machine *AppInit_DLLs= *SHELL=explorer.exe *Userinit= »Files »Autostart Folders »Current User »Default User »Local Machine »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL=explorer.exe ibm00003.exe »Text Files *C:\WINDOWS\msdos.sys `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=0 `BootGUI=1 `DoubleBuffer=1 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs *C:\msdos.sys `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=1 `BootGUI=1 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs `AutoScan=1 `WinVer=4.90.3000 *C:\config.sys *C:\autoexec.bat `SET windir=C:\WINDOWS `SET winbootdir=C:\WINDOWS `SET COMSPEC=C:\WINDOWS\COMMAND.COM `SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\ATF `SET PROMPT=$p$g `SET TEMP=C:\WINDOWS\TEMP `SET TMP=C:\WINDOWS\TEMP *C:\WINDOWS\wininit.bak `[rename] `C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL=C:\PROGRA~1\SPYBOT~1\IS-ISTHG.TMP *C:\WINDOWS\winstart.bat `@C:\WINDOWS\tmpcpyis.bat *C:\WINDOWS\dosstart.bat `@echo off *C:\WINDOWS\command\cmdinit.bat `@echo off `doskey /insert > nul *C:\WINDOWS\hosts `205.238.40.2 www.winmx.com `205.238.40.2 err.winmx.com `209.67.209.50 test3201.winmx.com test3203.winmx.com test3205.winmx.com test3207.winmx.com `82.43.224.20 test3202.winmx.com test3204.winmx.com test3206.winmx.com test3208.winmx.com `209.67.209.50 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com `212.227.64.159 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com `82.195.155.5 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com `82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com `209.67.209.50 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com `212.227.64.159 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com `82.195.155.5 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com `82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com `127.0.0.1 localhost »Program Files *C:\io.sys *C:\WINDOWS\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\command.com *C:\WINDOWS\command.PIF *C:\WINDOWS\COMMAND.COM »System/Drivers »Running Processes +FFCF4A47=C:\WINDOWS\SYSTEM\KERNEL32.DLL +FFFF8153=C:\WINDOWS\SYSTEM\MSGSRV32.EXE +FFF82147=C:\WINDOWS\SYSTEM\mmtask.tsk +FFF83B03=C:\WINDOWS\SYSTEM\MPREXE.EXE +FFF81EB3=C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE +FFF87583=C:\WINDOWS\SYSTEM\STIMON.EXE +FFF8409F=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE +FFF858F7=C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE +FFF8B86F=C:\WINDOWS\EXPLORER.EXE +FFF9DC87=C:\WINDOWS\TASKMON.EXE +FFFA0E97=C:\WINDOWS\SYSTEM\SK9910DM.EXE +FFFA18BF=C:\WINDOWS\SYSTEM\ATIPTAXX.EXE +FFFA3FCF=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE +FFFB3707=C:\WINDOWS\SYSTEM\DDHELP.EXE +FFF4AF9B=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE +FFFAF46B=C:\DRECK\STARTDRECK.EXE »VMM32Files (LM) *vdd.vxd= *vflatd.vxd= *biosxlat.vxd= *combuff.vxd= *configmg.vxd= *dosmgr.vxd= *dynapage.vxd= *ebios.vxd= *ifsmgr.vxd= *int13.vxd= *ios.vxd= *mtrr.vxd= *ntkern.vxd= *pageswap.vxd= *parity.vxd= *perf.vxd= *reboot.vxd= *shell.vxd= *spooler.vxd= *udf.vxd= *v86mmgr.vxd= *vcache.vxd= *vcd.vxd= *vcdfsd.vxd= *vcomm.vxd= *vcond.vxd= *vdef.vxd= *vdmad.vxd= *vfat.vxd= *vfbackup.vxd= *vkd.vxd= *vmcpd.vxd= *vmouse.vxd= *vmpoll.vxd= *vpd.vxd= *vpicd.vxd= *vpowerd.vxd= *vsd.vxd= *vtd.vxd= *vtdapi.vxd= *vwin32.vxd= *vxdldr.vxd= *vxdmon.vxd= *enable.vxd= »%System%\VMM32 *C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD *C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD *C:\WINDOWS\SYSTEM\VMM32\VMOUSE.VXD »%System%\IOSUBSYS *C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV *C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR *C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR *C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR *C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR *C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD *C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD *C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD *C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD *C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD *C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDRALVSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\EL90XBC3.SYS *C:\WINDOWS\SYSTEM\IoSubSys\EL90XBC4.SYS *C:\WINDOWS\SYSTEM\IoSubSys\EL90XBC5.SYS *C:\WINDOWS\SYSTEM\IoSubSys\Acbhlpr.vxd *C:\WINDOWS\SYSTEM\IoSubSys\cdr4vsd.vxd *C:\WINDOWS\SYSTEM\IoSubSys\CDRPWD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDUDF.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDUDFRW.VXD *C:\WINDOWS\SYSTEM\IoSubSys\UdfReadr.vxd *C:\WINDOWS\SYSTEM\IoSubSys\smartvsd.vxd *C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD *C:\WINDOWS\SYSTEM\IoSubSys\VGoBackD.vxd *C:\WINDOWS\SYSTEM\IoSubSys\USBMPHLP.PDR *C:\WINDOWS\SYSTEM\IoSubSys\pfc.vxd *C:\WINDOWS\SYSTEM\IoSubSys\pxhelper.vxd »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User |
|
|
|
|
10-06-2006, 08:10 PM
|
#23 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Ahhh...I see it, and a couple others.
 Let's get rid of the error at bootup first. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ************************************************ Run StartDreck with the same options checked like before. Click on the following and hit the Delete button in the program: *SHELL=explorer.exe ibm00003.exe That line is a little more than half way down the log, under this category: »SYSTEM.INI\[boot] Shortly before you see all those lines of xxxxxxxxxxxxxxxxxxxxxxx's. ----------------------------------------------------- Now we need to take care of the others that do not belong. Download CWShredder and run it. Click on 'I Agree' button if you agree and check for updates. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. ------------------------ Next, download win32delfkil.exe.
------------------------ Please run both the SilentRunners and Stardreck tools again and post the logs here once more, along with the windelf.txt and a new HijackThis log. How is the system behaving now? |
|
|
|
|
10-09-2006, 07:25 PM
|
#25 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Can you post the log from the Silent Runners--that's the one I'm most interested in.
Are you referring to the online Trend Micro scan? If so, it will not run on Windows ME. |
|
|
|
|
10-10-2006, 12:19 AM
|
#26 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 98
OS: windows vista
|
Silent runners Log
Hi,
Trend Micro used to run fine on my sysytem did they change it so it' would not run on ME? anyway here is the silent runners log "Silent Runners.vbs", revision 48, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATI Launchpad" = (empty string) "systemtray" = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "systemtray" = (empty string) "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "OEMRUNONCE" = "c:\windows\options\cabs\oemrun.exe" [MS] "Hot Key Kbd 9910 Daemon" = "SK9910DM.EXE" ["Silitek Corporation"] "AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."] "WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"] "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS] "AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS] "GoBack Polling Service" = "C:\Program Files\Roxio\GoBack\GBPoll.exe" ["Roxio, Inc."] "ATISmart" = "C:\WINDOWS\SYSTEM\ati2s9ag.exe" [" "] "StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS] "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS] "KB918547" = "C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE" [MS] "*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf" [MS] PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf" [MS] PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS] PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf" [MS] {44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS] OlsAolPerUser\(Default) = "Windows Setup - America Online" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension" -> {HKLM...CLSID} = "Adaptec Directcd Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"] "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "My Bluetooth Places" \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\BTNEIGHBORHOOD.DLL" ["Broadcom Corporation."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{6809e580-a3a7-11d1-9a00-00a0c945b006}" = "GoBack Shell Extension" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] GoBack\(Default) = "{6809e580-a3a7-11d1-9a00-00a0c945b006}" -> {HKLM...CLSID} = "GoBack Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\GoBack\ShellExt.dll" ["Roxio, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\MYPICT~1.SCR" (My Pictures Screen Saver.scr) [MS] Startup items in "Startup" & "All Users...Startup" folders: ----------------------------------------------------------- C:\WINDOWS\Start Menu\Programs\StartUp "SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "ISP signup reminder 1" -> launches: "C:\WINDOWS\SYSTEM\OOBE\MSOOBE.EXE /s /1" [MS] "lily *****all anal sucker-3" -> launches: "C:\TEMP\Temp2\FAV\lily *****all anal sucker-3.rm" [file not found] "lily suspended intruder-2" -> launches: "C:\TEMP\Temp2\FAV\lily suspended intruder-2.rm" [file not found] "nikki deep doggy1" -> launches: "C:\TEMP\Temp2\FAV\nikki deep doggy1.rm" [file not found] "nikki violater5" -> launches: "C:\TEMP\Temp2\FAV\nikki violater5.rm" [file not found] "scotti nipple suck 02" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 02.rm" [file not found] "scotti nipple suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti nipple suck 03.rm" [file not found] "scotti ***** suck" -> launches: "C:\TEMP\Temp2\FAV\scotti ***** suck.rm" [file not found] "scotti violate and suck 03" -> launches: "C:\TEMP\Temp2\FAV\scotti violate and suck 03.rm" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://gateway.yahoo.com [Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome" Missing lines (compared with English-language version): [Strings]: 2 lines HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ HIJACK WARNING! "blank*" = "http://66.40.16.201/lng/" [file not found] HOSTS file ---------- C:\WINDOWS\HOSTS maps: 13 domain names to IP addresses, 12 of the IP addresses are *not* localhost! Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Bluetooth Printer Port\Driver = "bthcrp98.dll" ["Broadcom Corporation."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 7 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 30 seconds) |
|
|
|
|
10-10-2006, 06:54 PM
|
#27 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Hi,
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad: REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs] "blank"=- Save the file as "delete.reg" . Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. ----------------------------------- Click Start>Programs>Accessories>System Tools>Scheduled Tasks In the Task Scheduler, these 2 entries are fine: Tune-up Application Start ISP signup reminder 1 Delete everything else you see. ----------------------------------- Please post the windelf.txt You mentioned HijackThis is 'locking up'. Have you added any new programs recently? Try again to run HijackThis and post the log here. |
|
|
|
|
10-10-2006, 07:28 PM
|
#28 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 98
OS: windows vista
|
No HJT or win32delfkil log
HI ,
Did the regedit and delete as instructed. Unable to get HJT due to it freezing at approx 97% with a 015 (trust enumeration) error?? The win32delkil just produces the following notedpad file: Unsupported version Unsupported version Unsupported version Unsupported version Unsupported version Unsupported version with out the icons disappearing or the reboot No I have not added any software lately, wanted to wait to resolve this issue unforutunately i have ignored my own advice about mixing whiskey and PC repair :) accidentley clicked on the bitforce remover instead of one of the scanning programs i have added. After this is resolved it would be nice if you would recommend what i should discard and what to keep. it is absolutely amazing what you all have done and it will not be forgotten |
|
|
|
|
10-10-2006, 08:45 PM
|
#29 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Ok, one more registry fix.
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following bolded text into Notepad: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] {1b68470c-2def-493b-8a4a-8e2d81be4ea5}=- Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards. ----------------------------------------------- Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again. Now try running HijackThis again. Post that log here along with a new Startdreck log so I can be sure that registry entry is indeed gone. 
|
|
|
|
|
10-10-2006, 09:23 PM
|
#30 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 98
OS: windows vista
|
HJT and Dreck Logs
that seem to do the trick for HJT
here are the logs DRECK ; StartDreck (build 2.1.7 public stable) - 2006-10-07 @ 01:01:34 (GMT -04:00) Platform: Windows ME (Win 4.90.3000 ) Internet Explorer: 6.0.2800.1106 Logged in as default at S0023150099 »Registry »Run Keys »Current User »Run *ATI Launchpad= *systemtray= »RunOnce »Default User »Run *ATI Launchpad= *systemtray= »RunOnce »Local Machine »Run *TaskMonitor=C:\WINDOWS\taskmon.exe *systemtray= *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme *OEMRUNONCE=c:\windows\options\cabs\oemrun.exe *Hot Key Kbd 9910 Daemon=SK9910DM.EXE *AtiPTA=atiptaxx.exe *WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun +OptionalComponents +MSFS +MAPI +MAPI »RunOnce »RunServices *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme *GoBack Polling Service=C:\Program Files\Roxio\GoBack\GBPoll.exe *ATISmart=C:\WINDOWS\SYSTEM\ati2s9ag.exe *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE *KB891711=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE *KB918547=C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE **StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat *batfile="%1" %* +.com *comfile="%1" %* +.disabled *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1" +.exe *exefile="%1" %* +.hta *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %* +.htm *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome +.html *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome +.js *JSFile=C:\WINDOWS\WScript.exe "%1" %* +.jse *JSEFile=C:\WINDOWS\WScript.exe "%1" %* +.pif *piffile="%1" %* +.reg *regfile=regedit.exe "%1" +.scr *scrfile="%1" /S +.txt *txtfile=C:\WINDOWS\NOTEPAD.EXE %1 +.vbs *VBSFile=C:\WINDOWS\WScript.exe "%1" %* +.vbe *VBEFile=C:\WINDOWS\WScript.exe "%1" %* +.wsh *WSHFile=C:\WINDOWS\WScript.exe "%1" %* +.wsf *WSFFile=C:\WINDOWS\WScript.exe "%1" %* +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Windows Setup - Applets/AppletsPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf +Windows Setup - FAT32 Converter/PerUser_CVT_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf +Windows Setup - Fonts/FontsPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf +Windows Setup - Home Networking Wizard/PerUser_HNW_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf +PerUser_ICW_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS *StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395} *StubPath=regsvr32.exe /s /n /i:U shell32.dll +Windows Movie Maker/PerUser_moviemaker *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf +MSN-Migration/>PerUser_MSN_Clean *StubPath=C:\WINDOWS\msnmgsr1.exe +Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06} *StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf +Windows Setup - System Information/PerUser_Msinfo *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf +Windows Setup - System Information/PerUser_Msinfo2 *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf +Windows Setup - Multimedia/MotownMmsysPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Multimedia/MotownAvivideoPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Messaging/PerUser_Base *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf +CDSAMPLE/SamplerPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf +Windows Setup - Shell/ShellPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf +Windows Setup - Color Schemes/Shell2PerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf +Windows Setup - Start Menu/PerUser_winbase_Links *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf +Windows Setup - Start Menu/PerUser_winapps_Links *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf +Windows Setup - Links Bar/PerUser_LinkBar_URLs *StubPath=C:\WINDOWS\COMMAND\sulfnbk.exe /L +Windows Setup - Telephony Support/TapiPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf +Windows Setup - Wordpad/PerUser_MSWordPad_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf +Windows Setup - More Applets/PerUserOldLinks *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Sound Schemes/MmoptRegisterPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - CD Player/PerUser_CDPlayer_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Online Services/OlsPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf +Windows Setup - The Microsoft Network/OlsMsnPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf +System Restore/PerUser_PCHealth *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Windows Setup - Paint/PerUser_Paint_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf +Windows Setup - Calculator/PerUser_Calc_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf +Windows Setup - DriveSpace/PerUser_dxxspace_Links *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf +Windows Setup - Accessibility/PerUser_Enable_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 C:\WINDOWS\INF\enable.inf +Windows Setup - Classic Games/PerUser_Wingames_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\games.inf +Windows Setup - Internet Games/PerUser_ZoneGame_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf +Windows Setup - Plus! Games/PerUser_PBGame_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 C:\WINDOWS\INF\games.inf +MSN Messenger Service 2.2/{5945c046-1e7d-11d1-bc44-00c04fd912be} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Windows Setup - Multimedia/MotownRecPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Volume Control/PerUser_Vol *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Multimedia/MotownMPlayPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf +Windows Setup - Dial-Up Networking/PerUser_RNA_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf +Windows Setup - System Monitor/PerUser_Sysmon_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - System Meter/PerUser_Sysmeter_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Netwatch/PerUser_netwatch_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Character Map/PerUser_CharMap_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - HyperTerminal/PerUser_Onlinelnks_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Phone Dialer/PerUser_Dialer_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf +Windows Setup - Clipboard Viewer/PerUser_ClipBrd_Inis *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf +Windows Setup - Sound Schemes/MmoptMusicaPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Sound Schemes/MmoptJunglePerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Sound Schemes/MmoptRobotzPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf +Windows Setup - Sound Schemes/MmoptUtopiaPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015C} *StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95 +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} *StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} *StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02} +Windows Setup - America Online/OlsAolPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - AT&T WorldNet Service/OlsAttPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - Prodigy Internet/OlsProdigyPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - Earthlink Internet/OlsEarthlinkPerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 C:\WINDOWS\INF\ols.inf +Windows Setup - Shell Cursors/Shell3PerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf +Windows Setup -- Themes/Theme_MoreWindows_PerUser *StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf +Windows Setup - Preptool/PerUser_Preptool *StubPath=rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF +CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} *StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl +Internet Explorer 6 SP1/{89820200-ECBD-11cf-8B85-00AA005B4383} *StubPath=C:\WINDOWS\SYSTEM\ie4uinit.exe +>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} *StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP »Browser Helper Objects (LM) *{53707962-6F74-2D53-2644-206D7942484F} `InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL »Internet Explorer »Current User *Default_Search_URL=http://ie.search.msn.com *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.rr.com/flash/index.cfm *CustomizeSearch=http://ie.search.msn.com +SearchUrl *Provider= *=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com »Default User *Default_Search_URL=http://ie.search.msn.com *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.rr.com/flash/index.cfm *CustomizeSearch=http://ie.search.msn.com +SearchUrl *Provider= *=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com »Local Machine *Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome *Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch *Start Page=http://www.rr.com/html/index.cfm?p=16&m=43 *CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm *SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) »Special NT Values »Current User *Load= *Run= *Programs= *SHELL= »Default User *Load= *Run= *Programs= *SHELL= »Local Machine *AppInit_DLLs= *SHELL=explorer.exe *Userinit= »Files »Autostart Folders »Current User »Default User »Local Machine »INI-Files »WIN.INI\[windows] *LOAD= *RUN= »SYSTEM.INI\[boot] *SHELL= »Text Files *C:\WINDOWS\msdos.sys `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=0 `BootGUI=1 `DoubleBuffer=1 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs *C:\msdos.sys `[Paths] `WinDir=C:\WINDOWS `WinBootDir=C:\WINDOWS `HostWinBootDrv=C `[Options] `BootMulti=1 `BootGUI=1 `; `;The following lines are required for compatibility with other programs. `;Do not remove them (MSDOS.SYS needs to be >1024 bytes). `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr `;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs `AutoScan=1 `WinVer=4.90.3000 *C:\config.sys *C:\autoexec.bat `SET windir=C:\WINDOWS `SET winbootdir=C:\WINDOWS `SET COMSPEC=C:\WINDOWS\COMMAND.COM `SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\ATF `SET PROMPT=$p$g `SET TEMP=C:\WINDOWS\TEMP `SET TMP=C:\WINDOWS\TEMP *C:\WINDOWS\wininit.bak `[rename] `C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL=C:\PROGRA~1\SPYBOT~1\IS-ISTHG.TMP *C:\WINDOWS\winstart.bat `@C:\WINDOWS\tmpcpyis.bat *C:\WINDOWS\dosstart.bat `@echo off *C:\WINDOWS\command\cmdinit.bat `@echo off `doskey /insert > nul *C:\WINDOWS\hosts `205.238.40.2 www.winmx.com `205.238.40.2 err.winmx.com `209.67.209.50 test3201.winmx.com test3203.winmx.com test3205.winmx.com test3207.winmx.com `82.43.224.20 test3202.winmx.com test3204.winmx.com test3206.winmx.com test3208.winmx.com `209.67.209.50 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com `212.227.64.159 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com `82.195.155.5 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com `82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com `209.67.209.50 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com `212.227.64.159 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com `82.195.155.5 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com `82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com `127.0.0.1 localhost »Program Files *C:\io.sys *C:\WINDOWS\win.com *C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\command.com *C:\WINDOWS\command.PIF *C:\WINDOWS\COMMAND.COM »System/Drivers »Running Processes +FFCF4A47=C:\WINDOWS\SYSTEM\KERNEL32.DLL +FFFF8153=C:\WINDOWS\SYSTEM\MSGSRV32.EXE +FFF82147=C:\WINDOWS\SYSTEM\mmtask.tsk +FFF83B03=C:\WINDOWS\SYSTEM\MPREXE.EXE +FFF81EB3=C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE +FFF87583=C:\WINDOWS\SYSTEM\STIMON.EXE +FFF8409F=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE +FFF858F7=C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE +FFF8B86F=C:\WINDOWS\EXPLORER.EXE +FFF9DC87=C:\WINDOWS\TASKMON.EXE +FFFA0E97=C:\WINDOWS\SYSTEM\SK9910DM.EXE +FFFA18BF=C:\WINDOWS\SYSTEM\ATIPTAXX.EXE +FFFA3FCF=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE +FFFB3707=C:\WINDOWS\SYSTEM\DDHELP.EXE +FFF4AF9B=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE +FFFAF6DB=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE +FFF5F283=C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE +FFFBF60F=C:\WINDOWS\SYSTEM\SPOOL32.EXE +FFFB4493=C:\DRECK\STARTDRECK.EXE »VMM32Files (LM) *vdd.vxd= *vflatd.vxd= *biosxlat.vxd= *combuff.vxd= *configmg.vxd= *dosmgr.vxd= *dynapage.vxd= *ebios.vxd= *ifsmgr.vxd= *int13.vxd= *ios.vxd= *mtrr.vxd= *ntkern.vxd= *pageswap.vxd= *parity.vxd= *perf.vxd= *reboot.vxd= *shell.vxd= *spooler.vxd= *udf.vxd= *v86mmgr.vxd= *vcache.vxd= *vcd.vxd= *vcdfsd.vxd= *vcomm.vxd= *vcond.vxd= *vdef.vxd= *vdmad.vxd= *vfat.vxd= *vfbackup.vxd= *vkd.vxd= *vmcpd.vxd= *vmouse.vxd= *vmpoll.vxd= *vpd.vxd= *vpicd.vxd= *vpowerd.vxd= *vsd.vxd= *vtd.vxd= *vtdapi.vxd= *vwin32.vxd= *vxdldr.vxd= *vxdmon.vxd= *enable.vxd= »%System%\VMM32 *C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD *C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD *C:\WINDOWS\SYSTEM\VMM32\VMOUSE.VXD »%System%\IOSUBSYS *C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV *C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR *C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR *C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR *C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR *C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD *C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD *C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD *C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD *C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD *C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDRALVSD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\EL90XBC3.SYS *C:\WINDOWS\SYSTEM\IoSubSys\EL90XBC4.SYS *C:\WINDOWS\SYSTEM\IoSubSys\EL90XBC5.SYS *C:\WINDOWS\SYSTEM\IoSubSys\Acbhlpr.vxd *C:\WINDOWS\SYSTEM\IoSubSys\cdr4vsd.vxd *C:\WINDOWS\SYSTEM\IoSubSys\CDRPWD.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDUDF.VXD *C:\WINDOWS\SYSTEM\IoSubSys\CDUDFRW.VXD *C:\WINDOWS\SYSTEM\IoSubSys\UdfReadr.vxd *C:\WINDOWS\SYSTEM\IoSubSys\smartvsd.vxd *C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD *C:\WINDOWS\SYSTEM\IoSubSys\VGoBackD.vxd *C:\WINDOWS\SYSTEM\IoSubSys\USBMPHLP.PDR *C:\WINDOWS\SYSTEM\IoSubSys\pfc.vxd *C:\WINDOWS\SYSTEM\IoSubSys\pxhelper.vxd »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User HJT ; Logfile of HijackThis v1.99.1 Scan saved at 11:23:12 PM, on 10/10/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SK9910DM.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE C:\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 205.238.40.2 www.winmx.com O1 - Hosts: 205.238.40.2 err.winmx.com O1 - Hosts: 209.67.209.50 test3201.winmx.com test3203.winmx.com test3205.winmx.com test3207.winmx.com O1 - Hosts: 82.43.224.20 test3202.winmx.com test3204.winmx.com test3206.winmx.com test3208.winmx.com O1 - Hosts: 209.67.209.50 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com O1 - Hosts: 212.227.64.159 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com O1 - Hosts: 82.195.155.5 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com O1 - Hosts: 209.67.209.50 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com O1 - Hosts: 212.227.64.159 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com O1 - Hosts: 82.195.155.5 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com O1 - Hosts: 82.43.224.20 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/me...t/twophase.cab O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://download.tsa.dhs.gov/fssa/training/ScriptX.cab O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab will try Micro Trend now, get the error now at 38 secs into step one vice 11 secs prior to tonight. Last edited by atcgman; 10-10-2006 at 09:30 PM. |
|
|
|
|
10-12-2006, 04:45 PM
|
#31 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Hi,
Your logs are clean. Have you had any luck getting Trend Micro online scanner to work? In the meantime, let's take care of the final steps: For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below. Click the Start button. Point to Programs, point to Accessories, point to System Tools, and then click System Restore. Choose Create a restore point, and then click Next. In the Restore point description box, type a name for your restore point, and then click Next. Click OK **Note** The same applies to Norton GoBack. Turn it off, then back on again to have a clean GoBack point. This will prevent any reinfection from previous restore points. Reset hidden/system files and folders Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. *Deselect the Show hidden files and folders option. *Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update *Go to Start>Run - type wuaucpl.cpl *Tick on the checkbox - "Keep my computer up to date" *Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you do not already have them: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) Now navigate to C:\ie-spyad. Double click to open it. From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically.
|
|
|
|
|
10-12-2006, 10:36 PM
|
#33 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Try removing Housecall and redownloading the ActiveX and installation files.
Delete this folder, as this is where it stores it's installation files: C:\Windows\ .housecall --------------------------------------- Open Internet Explorer>Tools >Internet Options. 3. Click the General tab and then click Settings under the Temporary Internet files section. 4. Click View Objects and then right-click HouseCall ActiveX 6.5. 5. Click Remove. Now try Housecall again, allowing it to reinstall what it needs. |
|
|
|
|
10-14-2006, 07:56 AM
|
#34 (permalink) |
|
Registered User
Join Date: Sep 2006
Posts: 98
OS: windows vista
|
trend micro
per your instructions located the first file to remove
the second one was non existant in the viewed objects Trend micro seems to load , ie no errors but gets stuck in a "preparing to scan loop" during step 1 . started it last night after work seven hours later it was still preparing to scan w/o progress |
|
|
|
|
10-14-2006, 10:20 AM
|
#35 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,836
OS: WinXP and Vista
|
Then I'm sorry, but I'm out of ideas and suggest you contact Trend Micro support to find out why you are having difficulty with their Housecall. In the meantime, you can always use Panda's online scanner.
|
|
|
|
| Thread Tools | |
|
|
