Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another newbie with troubles


  • Please log in to reply
23 replies to this topic

#1 tlronny

tlronny

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 18 February 2005 - 02:05 AM

Hi
Just found this site which is my last hope !
I keep getting pop ups and the dialer screen keeps coming up too !
I have used CWS Shredder - Adaware - Spybot S&D and still it persists !
Heres my report -:

Logfile of HijackThis v1.99.1
Scan saved at 7:45:43 pm, on 18/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\FMCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE /O
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] d:\applications\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] d:\applications\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 150.199.1.11,128.206.2.252,131.151.254.243

Edited by tlronny, 18 February 2005 - 04:41 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 20 February 2005 - 12:18 AM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)


Reboot your computer to go back to normal mode and post a new log.

#3 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 20 February 2005 - 02:48 AM

Did that and got this but I,m still getting the same pop up all the time and my dialer keeps appearing while off line !
That last line wont go away after 'cleaning either.

Logfile of HijackThis v1.99.1
Scan saved at 8:15:44 pm, on 20/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\TEMP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 20 February 2005 - 01:10 PM

Ok please post a complete log. That log looks a bit cut off.

#5 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 20 February 2005 - 02:30 PM

Thats pretty much it

Logfile of HijackThis v1.99.1
Scan saved at 8:21:27 am, on 21/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\TEMP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 20 February 2005 - 07:54 PM

Umm... did you go a little crazy put checks in things? You had a lot more in your original post.

Fix this line.

#7 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 20 February 2005 - 08:45 PM

What line sorry ??

Logfile of HijackThis v1.99.1
Scan saved at 2:33:12 pm, on 21/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Will post that se.dll to you again like before

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 20 February 2005 - 11:00 PM

No need to submit the file again. Fix this line again, reboot and post a new log

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

A lot of those lines you fixed did not need to be fixed

#9 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 21 February 2005 - 12:35 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:38:05 pm, on 21/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FMCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

When I fix the se.dll line - it just returns again later ?

Edited by tlronny, 21 February 2005 - 01:33 AM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 21 February 2005 - 10:21 AM

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#11 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 21 February 2005 - 11:28 PM

Couldn't find any reference at all to the System Hooks Section in msinfo32 but heres the 'Startdreck' log file -:

StartDreck (build 2.1.7 public stable) - 2005-02-22 @ 17:06:01 (GMT +13:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2600.0000
Logged in as Kieran Wealleans at KIERAN WEALLEAN

舞egistry
舞un Keys
翟urrent User
舞un
*NVIEW=
舞unOnce
聞efault User
舞un
*NVIEW=
舞unOnce
腿ocal Machine
舞un
*nwiz=nwiz.exe /install
*LoadQM=loadqm.exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*UpdReg=C:\WINDOWS\Updreg.exe
*Q3dctlTray=Fmctrl.EXE
*Hidserv=Hidserv.exe run
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
舞unServicesOnce
**myi=rundll32 C:\WINDOWS\IGS.INI,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCF4867=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF8DB3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2DAF=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE27E3=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE629F=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEADDB=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE9063=C:\WINDOWS\RUNDLL32.EXE
+FFFE7873=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFD0923=C:\WINDOWS\EXPLORER.EXE
+FFFC7423=C:\WINDOWS\LOADQM.EXE
+FFFC3AEB=C:\WINDOWS\TASKMON.EXE
+FFFC1A67=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDC2D3=C:\WINDOWS\SYSTEM\FMCTRL.EXE
+FFFC9BB7=C:\WINDOWS\RUNDLL32.EXE
+FFFC8693=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFB28E7=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFB376B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFB99DF=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFA2D83=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFE0517=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFAAEC3=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF775F7=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
+FFFA6583=C:\STARTDRECK\STARTDRECK.EXE
翠pplication specific

Edited by tlronny, 21 February 2005 - 11:30 PM.


#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 22 February 2005 - 10:42 AM

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\IGS.INI into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot . Then post a new log

#13 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 22 February 2005 - 05:40 PM

There seems to be only the same one popup appearing randomly at any time and my dialer appears from time to time as well


Logfile of HijackThis v1.99.1
Scan saved at 11:34:22 am, on 23/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FMCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Edited by tlronny, 23 February 2005 - 12:16 PM.


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:45 PM

Posted 23 February 2005 - 02:20 PM

Fix this entry:

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall


Reboot

Delete c:\windows\temp\se.dll

Then give me another startdreck log

#15 tlronny

tlronny
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 23 February 2005 - 10:48 PM

StartDreck (build 2.1.7 public stable) - 2005-02-24 @ 16:56:53 (GMT +13:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2600.0000
Logged in as Kieran Wealleans at KIERAN WEALLEAN

舞egistry
舞un Keys
翟urrent User
舞un
*NVIEW=
舞unOnce
聞efault User
舞un
*NVIEW=
舞unOnce
腿ocal Machine
舞un
*nwiz=nwiz.exe /install
*LoadQM=loadqm.exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*UpdReg=C:\WINDOWS\Updreg.exe
*Q3dctlTray=Fmctrl.EXE
*Hidserv=Hidserv.exe run
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
舞unServicesOnce
**dq=rundll32 C:\WINDOWS\IGS.INI,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
肇iles
翠utostart Folders
翟urrent User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
聞efault User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=Explorer.exe
蓉ext Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\command\cmdinit.bat
艋ystem/Drivers
舞unning Processes
+FFCF4811=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF8DC5=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2DD9=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE2795=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB251=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEA3ED=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFEF6C1=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFE06ED=C:\WINDOWS\RUNDLL32.EXE
+FFFE8D21=C:\WINDOWS\EXPLORER.EXE
+FFFDD60D=C:\WINDOWS\LOADQM.EXE
+FFFDCBF9=C:\WINDOWS\TASKMON.EXE
+FFFDC5FD=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC3855=C:\WINDOWS\SYSTEM\FMCTRL.EXE
+FFFC5C61=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFB3445=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFB03B5=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFCF885=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFB8A41=C:\STARTDRECK\STARTDRECK.EXE
臧T Services
翠pplication specific

Edited by tlronny, 23 February 2005 - 11:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users