Tech Support Forum banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
Well, I made the mistake of letting my 14 year old son use my computer the other night to chat with his friends. I told him "chatting and nothing else". Needless to say, when he was done there were all kinds of spyware goodies on my computer which I normally keep very clean. I managed to get rid of wintools and some other garbage but I still have this generic "ok button" that pops up in the center of the desktop when Windows starts. When I click it, it goes away. I've ran Adaware, Spybot, and Xoftspy and nothing has helped. I even ran my Norton. Here is my Hijack log file. Any help would be greatly appreciated. It's driving me crazy!

Logfile of HijackThis v1.99.0
Scan saved at 7:48:05 PM, on 5/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SOULSEEK\SLSK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth.net Internet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Dell Home - {7C99A240-6C6F-11D4-8B0D-00B0D07312B4} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://a1440.g.akamaitech.net/7/144...content.com/02010110/cccabs/CleverContent.cab
O16 - DPF: {315D1BD2-0165-48AE-9F91-9CC271704FBA} (LRNPrint Class) - file://D:\Webfiles\LRN Viewer\HTML\lrniehlp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4421/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O19 - User stylesheet: (file missing)
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\SYSTEM\tpabnwin.dll (file missing)
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello cws808 and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this.. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download CWShredder at http://www.greyknight17.com/spy/CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/enterprise/products/housecall_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears)

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O19 - User stylesheet: (file missing)
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINDOWS\SYSTEM\tpabnwin.dll (file missing)


Delete the following Files indicated in RED

C:\WINDOWS\SYSTEM\tpabnwin.dll

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode run a new HijackThis scan.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #3 ·
Well, I did everything exactly as you said but I'm still getting the ok button. I was unable to find the file C:\WINDOWS\SYSTEM\tpabnwin.dll so I couldn't delete that. Another thing I found odd was that I couldn't boot into safe mode using F8. The option came up but when I selected safe mode it booted up normal with that crazy ok button. I had to go into msconfig and choose selective start up to access safe mode. Here is the final logfile. Thanks again for your time.

Logfile of HijackThis v1.99.1
Scan saved at 6:49:39 PM, on 5/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth.net Internet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Dell Home - {7C99A240-6C6F-11D4-8B0D-00B0D07312B4} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://a1440.g.akamaitech.net/7/144...content.com/02010110/cccabs/CleverContent.cab
O16 - DPF: {315D1BD2-0165-48AE-9F91-9CC271704FBA} (LRNPrint Class) - file://D:\Webfiles\LRN Viewer\HTML\lrniehlp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4421/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Ok, let's do this:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file

*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #5 ·
Wow! That Mwav program is amazing. Ran it this morning and this is what it found. Hopefully one of these items is the culprit. Thanks again.

File C:\WINDOWS\aolunins.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM~1.DLL tagged as not-a-virus:RiskWare.Monitor.SpyAgent.b. No Action Taken.
File C:\WINDOWS\runwinsys tagged as not-a-virus:RiskWare.Monitor.SpyAgent.43302. No Action Taken.
File C:\WINDOWS\p2p-10110.exe tagged as not-a-virus:RiskWare.Dialer.Hacker. No Action Taken.
File C:\WINDOWS\installer[p2p-10110,de].exe infected by "not-a-virus:porn-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Hot Sex Software-uninstall.exe infected by "not-a-virus:porn-Dialer.Win32.Generic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\fckec980.dll infected by "not-a-virus:AdWare.F1Organizer.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\Hot Sex Software-uninstall.exe infected by "not-a-virus:porn-Dialer.Win32.Generic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\fckec980.dll infected by "not-a-virus:AdWare.F1Organizer.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Application Data\atth.exe infected by "not-a-virus:AdWare.PurityScan.w" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\aolunins.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\MVUNINST\App1\mvuninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM~1.DLL tagged as not-a-virus:RiskWare.Monitor.SpyAgent.b. No Action Taken.
File C:\WINDOWS\runwinsys tagged as not-a-virus:RiskWare.Monitor.SpyAgent.43302. No Action Taken.
File C:\WINDOWS\p2p-10110.exe tagged as not-a-virus:RiskWare.Dialer.Hacker. No Action Taken.
File C:\WINDOWS\installer[p2p-10110,de].exe infected by "not-a-virus:porn-Dialer.Win32.Star" Virus. Action Taken: No Action Taken.
File C:\Program Files\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Sonic Foundry MP3 Plug-In\UEX_CMP3.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\kmd151_en.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\kmd170_en.exe infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.
File C:\Program Files\PestPatrol\Quarantine\20050508122226.zip infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\ExploreAnywhere\SpyBuddy\Installer\spybuddy-maininstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\NULL infected by "not-a-virus:AdWare.Wintol.ab" Virus. Action Taken: No Action Taken.
File C:\Software Downloads\mmv2_demo_win.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\ossvc.exe infected by "not-a-virus:AdWare.NavExcel" Virus. Action Taken: No Action Taken.
File C:\Software Downloads\Cool Edit Pro mp3 plug-in (cepmp3 - not the demo).EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\Cool Edit Pro 2.0 + Crack.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\Spy Agent 4.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\SpyAgent.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Temp Logs\SpyAgent4.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi,

Make sure the following is still in effect:
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KazaaBegone http://www.greyknight17.com/spy/KazaaBegone.zip. This uninstaller will remove all elements from all Kazaa versions, as well as all of the bundled software that comes with it. Warning: This version has a bug that can cause your Internet connection to be broken when removing New.Net, WebHancer or CommonName. Before using KazaaBegone, download WinsockFix http://www.greyknight17.com/spy/WinsockFix.zip just in case you need it (if it breaks your internet connection).

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work.

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM\tpabnwin.dll
C:\WINDOWS\SYSTEM~1.DLL
C:\WINDOWS\runwinsys
C:\WINDOWS\p2p-10110.exe
C:\WINDOWS\installer[p2p-10110,de].exe
C:\WINDOWS\SYSTEM\Hot Sex Software-uninstall.exe
C:\WINDOWS\SYSTEM\fckec980.dll
C:\WINDOWS\Application Data\atth.exe
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\Program Files\KaZaAMediaTicketsInstaller\My Shared Folder\kmd151_en.exe
C:\Program Files\KaZaA\My Shared Folder\kmd170_en.exe
C:\Program Files\ExploreAnywhere\SpyBuddy\Installer\spybuddy-maininstall.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

KaZaa
KaZaAMediaTicketsInstaller
SpyAgent
ExploreAnywhere or SpyBuddy


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\tpabnwin.dll
C:\WINDOWS\SYSTEM~1.DLL
C:\WINDOWS\runwinsys
C:\WINDOWS\p2p-10110.exe
C:\WINDOWS\installer[p2p-10110,de].exe
C:\WINDOWS\SYSTEM\Hot Sex Software-uninstall.exe
C:\WINDOWS\SYSTEM\fckec980.dll
C:\WINDOWS\Application Data\atth.exe
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\Program Files\KaZaAMediaTicketsInstaller\My Shared Folder\kmd151_en.exe
C:\Program Files\KaZaA\My Shared Folder\kmd170_en.exe
C:\Program Files\ExploreAnywhere\SpyBuddy\Installer\spybuddy-maininstall.exe
C:\NULL


Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode.

Run a new Mwav and HijckThis and post both logs here.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #7 ·
Still having the button problem. Here's the latest logs after following the procedure above. I am totally baffled by this. Thanks again.


File C:\WINDOWS\aolunins.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\aolunins.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\MVUNINST\App1\mvuninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Sonic Foundry MP3 Plug-In\UEX_CMP3.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\PestPatrol\Quarantine\20050508122226.zip infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus. Action Taken: No Action Taken.
File C:\Software Downloads\mmv2_demo_win.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\ossvc.exe infected by "not-a-virus:AdWare.NavExcel" Virus. Action Taken: No Action Taken.
File C:\Software Downloads\Cool Edit Pro mp3 plug-in (cepmp3 - not the demo).EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\Cool Edit Pro 2.0 + Crack.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\Spy Agent 4.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Downloads\SpyAgent.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Temp Logs\SpyAgent4.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.




Logfile of HijackThis v1.99.1
Scan saved at 5:58:07 AM, on 5/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth.net Internet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i -p -r
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Dell Home - {7C99A240-6C6F-11D4-8B0D-00B0D07312B4} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://a1440.g.akamaitech.net/7/144...content.com/02010110/cccabs/CleverContent.cab
O16 - DPF: {315D1BD2-0165-48AE-9F91-9CC271704FBA} (LRNPrint Class) - file://D:\Webfiles\LRN Viewer\HTML\lrniehlp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4421/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi,

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Now,
Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #9 ·
We must be getting to the nitty gritty here. Here's the StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-05-18 @ 18:34:35 (GMT -05:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as cox at B6HL30B

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*POINTER=C:\PROGRA~1\MSHARD~1\point32.exe
*NAV Agent=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*SchedulingAgent=mstask.exe
*Win32SL=C:\DMI\BIN\Win32sl.EXE -i -p -r
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=c:\windows\WScript.exe "%1" %*
+.jse
*JSEFile=c:\windows\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
+.vbs
*VBSFile=c:\windows\WScript.exe "%1" %*
+.vbe
*VBEFile=c:\windows\WScript.exe "%1" %*
+.wsh
*WSHFile=c:\windows\WScript.exe "%1" %*
+.wsf
*WSFFile=c:\windows\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Setup - Applets/AppletsPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf
+Windows Setup - Fonts/FontsPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf
+Internet Connection Wizard/{5A8D6EE0-3E18-11D0-821E-444553540000}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
+PerUser_ICW_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf
+Internet Explorer 6 and Internet Tools/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
+MSN-Migration/>PerUser_MSN_Clean
*StubPath=c:\windows\msnmgsr1.exe
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
+Windows Setup - System Information/PerUser_Msinfo
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf
+Windows Setup - System Information/PerUser_Msinfo2
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf
+Windows Setup - Multimedia/MotownMmsysPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf
+Windows Setup - Multimedia/MotownAvivideoPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf
+Windows Setup - Multimedia/MotownMPlayPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf
+Windows Setup - Messaging/PerUser_Base
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf
+Windows Setup - Shell/ShellPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf
+Windows Setup - Color Schemes/Shell2PerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf
+Windows Setup - Start Menu/PerUser_winbase_Links
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf
+Windows Setup - Start Menu/PerUser_winapps_Links
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf
+Windows Setup - Links Bar/PerUser_LinkBar_URLs
*StubPath=c:\windows\COMMAND\sulfnbk.exe /L
+Windows Setup - Telephony Support/TapiPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf
+Web Folders/{73fa19d0-2d75-11d2-995d-00c04f98bbc9}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\webfdr16.inf,PerUserStub.Install,1
+Windows Setup - More Applets/PerUserOldLinks
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf
+Windows Setup - Sound Schemes/MmoptRegisterPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf
+Windows Setup - Online Services/OlsPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf
+Windows Setup - The Microsoft Network/OlsMsnPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf
+Windows Setup - Paint/PerUser_Paint_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf
+Windows Setup - Calculator/PerUser_Calc_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf
+Windows Setup - DriveSpace/PerUser_dxxspace_Links
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf
+Windows Setup - Backup/PerUser_MSBackup_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf
+Windows Setup - FAT32 Converter/PerUser_CVT_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf
+Windows Setup - Accessibility/PerUser_Enable_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf
+Windows Setup - Multimedia/MotownRecPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf
+Windows Setup - Volume Control/PerUser_Vol
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf
+Windows Setup - Wordpad/PerUser_MSWordPad_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf
+Windows Setup - Dial-Up Networking/PerUser_RNA_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf
+Windows Setup - Games/PerUser_Wingames_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - System Monitor/PerUser_Sysmon_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - System Meter/PerUser_Sysmeter_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - Netwatch/PerUser_netwatch_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - Character Map/PerUser_CharMap_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - HyperTerminal/PerUser_Onlinelnks_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - Phone Dialer/PerUser_Dialer_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf
+Windows Setup - Clipboard Viewer/PerUser_ClipBrd_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf
+Windows Setup - Sound Schemes/MmoptMusicaPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf
+Windows Setup - Sound Schemes/MmoptJunglePerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf
+Windows Setup - Sound Schemes/MmoptRobotzPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf
+Windows Setup - Sound Schemes/MmoptUtopiaPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf
+Windows Setup - CD Player/PerUser_CDPlayer_Inis
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf
+NetMeeting 3.0/{44BBA842-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
+Windows Setup - America Online/OlsAolPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf
+Windows Setup - AT&T WorldNet Service/OlsAttPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf
+Windows Setup - CompuServe/OlsCompuservePerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf
+Windows Setup - Prodigy Internet/OlsProdigyPerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf
+Windows Setup - Shell Cursors/Shell3PerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf
+Windows Setup -- Themes/Theme_Windows_PerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf
+Windows Setup -- Themes/Theme_MoreWindows_PerUser
*StubPath=rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf
+Web Publishing Wizard/{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wpie5x86.inf,PerUserStub
+IE Customization/>IEPerUser
*StubPath=RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
+Default Channel Setup/Chl99
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+MSN Messenger Service 2.2/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUserIE
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
»Browser Helper Objects (LM)
*Ipswitch.WsftpBrowserHelper.1/{601ED020-FB6C-11D3-87D8-0050DA59922B}
`InprocServer32=C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=
*Start Page=http://www.google.com/
*Window Title=Microsoft Internet Explorer provided by BellSouth.net Internet Service
+SearchUrl
*Provider=
*=http://www.google.com/keyword/%s
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
»Default User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=
*Start Page=http://www.google.com/
*Window Title=Microsoft Internet Explorer provided by BellSouth.net Internet Service
+SearchUrl
*Provider=
*=http://www.google.com/keyword/%s
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=c:\windows\SYSTEM\blank.htm
*Search Page=
*Start Page=http://www.msn.com
*Window Title=Microsoft Internet Explorer provided by BellSouth.net Internet Service
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
»Special NT Values
»Current User
*Load=
*Run=
*Programs=
*SHELL=
»Default User
*Load=
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[Boot Loader]
`Timeout=5
`Default=C:\
`[Operating Systems]
`C:\="Microsoft Windows"
*C:\WINDOWS\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=0
`BootGUI=1
`DoubleBuffer=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\msdos.sys
`[Paths]
`WinDir=c:\windows
`WinBootDir=c:\windows
`HostWinBootDrv=c
`[Options]
`BootWin=1
`BootMulti=0
`BootGUI=1
`DoubleBuffer=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
`AutoScan=1
`WinVer=4.10.2222
*C:\config.sys
`DEVICE=C:\WINDOWS\HIMEM.SYS
`DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
`REM [Header]
`REM [CD-ROM Drive]
`REM DEVICE=C:\CDROM\SSCDROM.SYS /D:MSCD001 /PIO
`REM [Miscellaneous]
`REM [Display]
`DEVICE=c:\windows\setver.exe
*C:\WINDOWS\wininit.bak
`[Rename]
`NUL=C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
`NUL=C:\WINDOWS\RUNWIN~1
`NUL=C:\WINDOWS\P2P-10~1.EXE
`NUL=C:\WINDOWS\INSTAL~1.EXE
`NUL=C:\WINDOWS\SYSTEM\HOTSEX~1.EXE
`NUL=C:\WINDOWS\SYSTEM\FCKEC980.DLL
`NUL=C:\WINDOWS\APPLIC~1\ATTH.EXE
`NUL=C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
`NUL=C:\PROGRA~1\EXPLOR~1\SPYBUDDY\INSTAL~1\SPYBUD~1.EXE
`NUL=C:\WINDOWS\SYSTEM~1.DLL
`NUL=C:\WINDOWS\RUNWIN~1
`NUL=C:\WINDOWS\P2P-10~1.EXE
`NUL=C:\WINDOWS\INSTAL~1.EXE
`NUL=C:\WINDOWS\SYSTEM\HOTSEX~1.EXE
`NUL=C:\WINDOWS\SYSTEM\FCKEC980.DLL
`NUL=C:\WINDOWS\APPLIC~1\ATTH.EXE
`NUL=C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
`NUL=C:\PROGRA~1\EXPLOR~1\SPYBUDDY\INSTAL~1\SPYBUD~1.EXE
*C:\WINDOWS\dosstart.bat
`@echo off
`LH C:\PROGRA~1\MSHARD~1\MOUSE\MOUSE.EXE
`C:\SBPCI\APINIT
*C:\WINDOWS\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\command.PIF
*C:\WINDOWS\COMMAND.PIF
*C:\WINDOWS\COMMAND.COM
*c:\windows\COMMAND.PIF
*c:\windows\COMMAND.COM
+C:\CHOICE.COM
*c:\windows\COMMAND\CHOICE.COM
+C:\WINDOWS\SYSTEM\REGEDIT.EXE
*C:\WINDOWS\REGEDIT.COM
*C:\WINDOWS\REGEDIT.EXE
*c:\windows\REGEDIT.COM
*c:\windows\REGEDIT.EXE
+C:\WINDOWS\SYSTEM\HH.EXE
*C:\WINDOWS\hh.exe
*c:\windows\hh.exe
+C:\WINDOWS\DOSPRMPT.PIF
*c:\windows\DOSPRMPT.PIF
+C:\WINDOWS\MS-DOS Mode for Games.pif
*c:\windows\MS-DOS Mode for Games.pif
+C:\WINDOWS\MS-DOS Mode for Games with EMS and XMS Support.pif
*c:\windows\MS-DOS Mode for Games with EMS and XMS Support.pif
+C:\WINDOWS\Exit To Dos.pif
*c:\windows\Exit To Dos.pif
+C:\WINDOWS\WIN.COM
*c:\windows\WIN.COM
+C:\WINDOWS\R.COM
*c:\windows\R.COM
+C:\WINDOWS\MPLAYER.EXE
*c:\windows\MPLAYER.EXE
+C:\WINDOWS\CLSPACK.EXE
*c:\windows\CLSPACK.EXE
+C:\WINDOWS\DOSREP.EXE
*c:\windows\DOSREP.EXE
+C:\WINDOWS\DRWATSON.EXE
*c:\windows\DRWATSON.EXE
+C:\WINDOWS\PROTMAN.EXE
*c:\windows\PROTMAN.EXE
+C:\WINDOWS\EXPLORER.EXE
*c:\windows\EXPLORER.EXE
+C:\WINDOWS\SETDEBUG.EXE
*c:\windows\SETDEBUG.EXE
+C:\WINDOWS\GRPCONV.EXE
*c:\windows\GRPCONV.EXE
+C:\WINDOWS\PIDSET.EXE
*c:\windows\PIDSET.EXE
+C:\WINDOWS\SIGVERIF.EXE
*c:\windows\SIGVERIF.EXE
+C:\WINDOWS\PSSVC.EXE
*c:\windows\PSSVC.EXE
+C:\WINDOWS\UPWIZUN.EXE
*c:\windows\UPWIZUN.EXE
+C:\WINDOWS\WINREP.EXE
*c:\windows\WINREP.EXE
+C:\WINDOWS\ACCSTAT.EXE
*c:\windows\ACCSTAT.EXE
+C:\WINDOWS\CALC.EXE
*c:\windows\CALC.EXE
+C:\WINDOWS\CVT1.EXE
*c:\windows\CVT1.EXE
+C:\WINDOWS\PBRUSH.EXE
*c:\windows\PBRUSH.EXE
+C:\WINDOWS\SNDREC32.EXE
*c:\windows\SNDREC32.EXE
+C:\WINDOWS\SNDVOL32.EXE
*c:\windows\SNDVOL32.EXE
+C:\WINDOWS\VCMUI.EXE
*c:\windows\VCMUI.EXE
+C:\WINDOWS\CHARMAP.EXE
*c:\windows\CHARMAP.EXE
+C:\WINDOWS\CLEANMGR.EXE
*c:\windows\CLEANMGR.EXE
+C:\WINDOWS\CLIPBRD.EXE
*c:\windows\CLIPBRD.EXE
+C:\WINDOWS\DIALER.EXE
*c:\windows\DIALER.EXE
+C:\WINDOWS\CONTROL.EXE
*c:\windows\CONTROL.EXE
+C:\WINDOWS\FREECELL.EXE
*c:\windows\FREECELL.EXE
+C:\WINDOWS\KODAKIMG.EXE
*c:\windows\KODAKIMG.EXE
+C:\WINDOWS\KODAKPRV.EXE
*c:\windows\KODAKPRV.EXE
+C:\WINDOWS\CVTAPLOG.EXE
*c:\windows\CVTAPLOG.EXE
+C:\WINDOWS\MSHEARTS.EXE
*c:\windows\MSHEARTS.EXE
+C:\WINDOWS\NETWATCH.EXE
*c:\windows\NETWATCH.EXE
+C:\WINDOWS\DRVSPACE.EXE
*c:\windows\DRVSPACE.EXE
+C:\WINDOWS\EMM386.EXE
*c:\windows\EMM386.EXE
+C:\WINDOWS\RSRCMTR.EXE
*c:\windows\RSRCMTR.EXE
+C:\WINDOWS\MM2ENT.EXE
*c:\windows\MM2ENT.EXE
+C:\WINDOWS\NOTEPAD.EXE
*c:\windows\NOTEPAD.EXE
+C:\WINDOWS\PACKAGER.EXE
*c:\windows\PACKAGER.EXE
+C:\WINDOWS\PROGMAN.EXE
*c:\windows\PROGMAN.EXE
+C:\WINDOWS\RG2CATDB.EXE
*c:\windows\RG2CATDB.EXE
+C:\WINDOWS\RUNDLL.EXE
*c:\windows\RUNDLL.EXE
+C:\WINDOWS\SCANDSKW.EXE
*c:\windows\SCANDSKW.EXE
+C:\WINDOWS\SOL.EXE
*c:\windows\SOL.EXE
+C:\WINDOWS\TASKMAN.EXE
*c:\windows\TASKMAN.EXE
+C:\WINDOWS\TASKMON.EXE
*c:\windows\TASKMON.EXE
+C:\WINDOWS\SETVER.EXE
*c:\windows\SETVER.EXE
+C:\WINDOWS\WINHELP.EXE
*c:\windows\WINHELP.EXE
+C:\WINDOWS\SYSMON.EXE
*c:\windows\SYSMON.EXE
+C:\WINDOWS\WINHLP32.EXE
*c:\windows\WINHLP32.EXE
+C:\WINDOWS\WINMINE.EXE
*c:\windows\WINMINE.EXE
+C:\WINDOWS\WININIT.EXE
*c:\windows\WININIT.EXE
+C:\WINDOWS\WRITE.EXE
*c:\windows\WRITE.EXE
+C:\WINDOWS\WINPOPUP.EXE
*c:\windows\WINPOPUP.EXE
+C:\WINDOWS\IPCONFIG.EXE
*c:\windows\IPCONFIG.EXE
+C:\WINDOWS\CDPLAYER.EXE
*c:\windows\CDPLAYER.EXE
+C:\WINDOWS\MSNCREAT.EXE
*c:\windows\MSNCREAT.EXE
+C:\WINDOWS\EXTRAC32.EXE
*c:\windows\EXTRAC32.EXE
+C:\WINDOWS\WSCRIPT.EXE
*c:\windows\WSCRIPT.EXE
+C:\WINDOWS\TOUR98.EXE
*c:\windows\TOUR98.EXE
+C:\WINDOWS\QFECHECK.EXE
*c:\windows\QFECHECK.EXE
+C:\WINDOWS\ST5UNST.EXE
*c:\windows\ST5UNST.EXE
+C:\WINDOWS\NBTSTAT.EXE
*c:\windows\NBTSTAT.EXE
+C:\WINDOWS\PING.EXE
*c:\windows\PING.EXE
+C:\WINDOWS\ARP.EXE
*c:\windows\ARP.EXE
+C:\WINDOWS\FTP.EXE
*c:\windows\FTP.EXE
+C:\WINDOWS\NET.EXE
*c:\windows\NET.EXE
+C:\WINDOWS\SMARTDRV.EXE
*c:\windows\SMARTDRV.EXE
+C:\WINDOWS\NETSTAT.EXE
*c:\windows\NETSTAT.EXE
+C:\WINDOWS\ROUTE.EXE
*c:\windows\ROUTE.EXE
+C:\WINDOWS\TELNET.EXE
*c:\windows\TELNET.EXE
+C:\WINDOWS\TRACERT.EXE
*c:\windows\TRACERT.EXE
+C:\WINDOWS\WINIPCFG.EXE
*c:\windows\WINIPCFG.EXE
+C:\WINDOWS\HWINFO.EXE
*c:\windows\HWINFO.EXE
+C:\WINDOWS\NETDDE.EXE
*c:\windows\NETDDE.EXE
+C:\WINDOWS\TUNEUP.EXE
*c:\windows\TUNEUP.EXE
+C:\WINDOWS\ASD.EXE
*c:\windows\ASD.EXE
+C:\WINDOWS\RUNDLL32.EXE
*c:\windows\RUNDLL32.EXE
+C:\WINDOWS\uninst.exe
*c:\windows\uninst.exe
+C:\WINDOWS\IsUninst.exe
*c:\windows\IsUninst.exe
+C:\WINDOWS\iextract.exe
*c:\windows\iextract.exe
*c:\windows\COMMAND\IEXTRACT.EXE
+C:\WINDOWS\WINFILE.EXE
*c:\windows\WINFILE.EXE
+C:\WINDOWS\WINVER.EXE
*c:\windows\WINVER.EXE
+C:\WINDOWS\MSNMGSR1.EXE
*c:\windows\MSNMGSR1.EXE
+C:\WINDOWS\unvise32.exe
*c:\windows\unvise32.exe
+C:\WINDOWS\W3kNTStb.exe
*c:\windows\W3kNTStb.exe
+C:\WINDOWS\MSPUNIN.EXE
*c:\windows\MSPUNIN.EXE
+C:\WINDOWS\hpfsched.exe
*c:\windows\hpfsched.exe
+C:\WINDOWS\WUPDMGR.EXE
*c:\windows\WUPDMGR.EXE
+C:\WINDOWS\comctl32.exe
*c:\windows\comctl32.exe
+C:\WINDOWS\Undrnstl.exe
*c:\windows\Undrnstl.exe
+C:\WINDOWS\aolunins.exe
*c:\windows\aolunins.exe
+C:\WINDOWS\asicunst.exe
*c:\windows\asicunst.exe
+C:\WINDOWS\asicutil4.exe
*c:\windows\asicutil4.exe
+C:\WINDOWS\UNISTB32.EXE
*c:\windows\UNISTB32.EXE
+C:\WINDOWS\REGTLIB.EXE
*c:\windows\REGTLIB.EXE
+C:\WINDOWS\UNWISE.EXE
*c:\windows\UNWISE.EXE
+C:\WINDOWS\FONTVIEW.EXE
*c:\windows\FONTVIEW.EXE
+C:\WINDOWS\unvise32qt.exe
*c:\windows\unvise32qt.exe
+C:\WINDOWS\ST6UNST.EXE
*c:\windows\ST6UNST.EXE
+C:\WINDOWS\UnGins.exe
*c:\windows\UnGins.exe
+C:\WINDOWS\Setup1.exe
*c:\windows\Setup1.exe
+C:\WINDOWS\ld32408.exe
*c:\windows\ld32408.exe
+C:\WINDOWS\UNNMIX.exe
*c:\windows\UNNMIX.exe
+C:\WINDOWS\iun506.exe
*c:\windows\iun506.exe
+C:\WINDOWS\iun503.exe
*c:\windows\iun503.exe
+C:\WINDOWS\Monsters, Inc. Lounge.exe
*c:\windows\Monsters, Inc. Lounge.exe
+C:\WINDOWS\PATCH.EXE
*c:\windows\PATCH.EXE
+C:\WINDOWS\JVIEW.EXE
*c:\windows\JVIEW.EXE
+C:\WINDOWS\th_inst2.exe
*c:\windows\th_inst2.exe
+C:\WINDOWS\WJVIEW.EXE
*c:\windows\WJVIEW.EXE
+C:\WINDOWS\INST9753.EXE
*c:\windows\INST9753.EXE
+C:\WINDOWS\Rugrats.exe
*c:\windows\Rugrats.exe
+C:\WINDOWS\Uzerox_bs.exe
*c:\windows\Uzerox_bs.exe
+C:\WINDOWS\uneng.exe
*c:\windows\uneng.exe
+C:\WINDOWS\defrag.exe
*c:\windows\defrag.exe
+C:\WINDOWS\twunk_16.exe
*c:\windows\twunk_16.exe
+C:\WINDOWS\SNMP.EXE
*c:\windows\SNMP.EXE
+C:\WINDOWS\ieuninst.exe
*c:\windows\ieuninst.exe
+C:\WINDOWS\Q330994.exe
*c:\windows\Q330994.exe
+C:\WINDOWS\twunk_32.exe
*c:\windows\twunk_32.exe
+C:\WINDOWS\muninst.exe
*c:\windows\muninst.exe
+C:\WINDOWS\runtsckl.exe
*c:\windows\runtsckl.exe
+C:\WINDOWS\oeuninst.exe
*c:\windows\oeuninst.exe
+C:\WINDOWS\vgxuninst.exe
*c:\windows\vgxuninst.exe
+C:\WINDOWS\tsc.exe
*c:\windows\tsc.exe
+C:\WINDOWS\USBM56phmgunin.exe
*c:\windows\USBM56phmgunin.exe
+C:\WINDOWS\catalogSubInstaller.exe
*c:\windows\catalogSubInstaller.exe
+C:\WINDOWS\Ctregrun.exe
*c:\windows\Ctregrun.exe
+C:\WINDOWS\InetReg.exe
*c:\windows\InetReg.exe
+C:\WINDOWS\Helper.exe
*c:\windows\Helper.exe
+C:\WINDOWS\DOSSTART.BAT
*c:\windows\DOSSTART.BAT
»System/Drivers
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*vshare.vxd=
*vwin32.vxd=
*vfbackup.vxd=
*vcomm.vxd=
*combuff.vxd=
*vcd.vxd=
*vpd.vxd=
*spooler.vxd=
*udf.vxd=
*vfat.vxd=
*vcache.vxd=
*vcond.vxd=
*vcdfsd.vxd=
*int13.vxd=
*vxdldr.vxd=
*vdef.vxd=
*dynapage.vxd=
*configmg.vxd=
*ntkern.vxd=
*ebios.vxd=
*vmd.vxd=
*dosnet.vxd=
*vpicd.vxd=
*vtd.vxd=
*reboot.vxd=
*vdmad.vxd=
*vsd.vxd=
*v86mmgr.vxd=
*pageswap.vxd=
*dosmgr.vxd=
*vmpoll.vxd=
*shell.vxd=
*parity.vxd=
*biosxlat.vxd=
*vmcpd.vxd=
*vtdapi.vxd=
*perf.vxd=
*vkd.vxd=
*vmouse.vxd=
*mtrr.vxd=
*enable.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\hpziol00.vxd
*C:\WINDOWS\SYSTEM\VMM32\hpzion00.vxd
*C:\WINDOWS\SYSTEM\VMM32\hpziop00.vxd
*C:\WINDOWS\SYSTEM\VMM32\hpziop98.vxd
*C:\WINDOWS\SYSTEM\VMM32\QEMMFIX.VXD
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\IOS.VXD
*C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD
*C:\WINDOWS\SYSTEM\VMM32\hpziou00.dll
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVWCDB.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVWQ117.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\EPATAP9X.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
*C:\WINDOWS\SYSTEM\IoSubSys\ENSQIO.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDRALVSD.VXD_
*C:\WINDOWS\SYSTEM\IoSubSys\asapi.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\ACBHLPR.VXD_
*C:\WINDOWS\SYSTEM\IoSubSys\imagedrv.mpd
*C:\WINDOWS\SYSTEM\IoSubSys\drvwppqt.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\apix.BAK
*C:\WINDOWS\SYSTEM\IoSubSys\SPARROW.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\APIX9X.BAK
*C:\WINDOWS\SYSTEM\IoSubSys\CN2487.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\ULTRA.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\Cdralvsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\CDR4VSD.VXD_
*C:\WINDOWS\SYSTEM\IoSubSys\Cdr4vsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Acbhlpr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\pxhelper.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\nerocd95.bak
*C:\WINDOWS\SYSTEM\IoSubSys\SMARTVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
 

·
Premium Member
Joined
·
14,311 Posts
I suggest not downloading any crack programs unless you want to be infected with one of these again. Cracks are notorious for embedding spyware and trojans with them.

Uninstall SpyBuddy from the Add/Remove panel if it's stil listed there.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Software Downloads\ossvc.exe
C:\Software Downloads\Cool Edit Pro mp3 plug-in (cepmp3 - not the demo).EXE
C:\Software Downloads\Cool Edit Pro 2.0 + Crack.exe
C:\WINDOWS\RUNWIN~1
C:\WINDOWS\P2P-10~1.EXE
C:\WINDOWS\INSTAL~1.EXE
C:\WINDOWS\SYSTEM\HOTSEX~1.EXE
C:\WINDOWS\SYSTEM\FCKEC980.DLL
C:\WINDOWS\APPLIC~1\ATTH.EXE
C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
C:\PROGRA~1\EXPLOR~1\SPYBUDDY\
C:\WINDOWS\SYSTEM~1.DLL
C:\WINDOWS\RUNWIN~1
C:\WINDOWS\P2P-10~1.EXE
C:\WINDOWS\INSTAL~1.EXE
C:\WINDOWS\SYSTEM\HOTSEX~1.EXE
C:\WINDOWS\SYSTEM\FCKEC980.DLL
C:\WINDOWS\APPLIC~1\ATTH.EXE
C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX


Go into this folder -> C:\PROGRA~1\EXPLOR~1\
What else is in that folder? When was the EXPLOR~1 folder created? If recently (or around the time of your problems), then delete that whole folder called EXPLOR.... in the Program Files directory.

Go to C:\WINDOWS\ and open up wininit.bak in Notepad. Delete these lines in that file:

`NUL=C:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat
`NUL=C:\WINDOWS\RUNWIN~1
`NUL=C:\WINDOWS\P2P-10~1.EXE
`NUL=C:\WINDOWS\INSTAL~1.EXE
`NUL=C:\WINDOWS\SYSTEM\HOTSEX~1.EXE
`NUL=C:\WINDOWS\SYSTEM\FCKEC980.DLL
`NUL=C:\WINDOWS\APPLIC~1\ATTH.EXE
`NUL=C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
`NUL=C:\PROGRA~1\EXPLOR~1\SPYBUDDY\INSTAL~1\SPYBUD ~1.EXE
`NUL=C:\WINDOWS\SYSTEM~1.DLL
`NUL=C:\WINDOWS\RUNWIN~1
`NUL=C:\WINDOWS\P2P-10~1.EXE
`NUL=C:\WINDOWS\INSTAL~1.EXE
`NUL=C:\WINDOWS\SYSTEM\HOTSEX~1.EXE
`NUL=C:\WINDOWS\SYSTEM\FCKEC980.DLL
`NUL=C:\WINDOWS\APPLIC~1\ATTH.EXE
`NUL=C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
`NUL=C:\PROGRA~1\EXPLOR~1\SPYBUDDY\INSTAL~1\SPYBUD ~1.EXE


Save the file and close it.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart. Is that OK button still there? Is it a popup? Can you click or move it?
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top