Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log file - post adaware and spybot


  • This topic is locked This topic is locked
38 replies to this topic

#1 villavengore

villavengore

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 09 July 2005 - 05:35 PM

Hi folks - have been following Basket Chick's exploits and tried to do much of the work myself - hoping not to have to ask you guys for help (lol) - but it seems I still have problems - especially with something eating memory



Logfile of HijackThis v1.99.1
Scan saved at 23:31:11, on 09/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\IPLU.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\WINDOWS\NTBH.EXE
C:\WINDOWS\SYSTEM\NTQH32.EXE
C:\WINDOWS\MFCOU32.EXE
C:\WINDOWS\D3NO32.EXE
C:\WINDOWS\JAVASL.EXE
C:\WINDOWS\NETPM32.EXE
C:\WINDOWS\ATLIN.EXE
C:\WINDOWS\SYSTEM\MFCPZ.EXE
C:\WINDOWS\IEHK32.EXE
C:\WINDOWS\NETJJ.EXE
C:\WINDOWS\SYSTEM\ATLNF.EXE
C:\WINDOWS\SYSTEM\NTLN.EXE
C:\WINDOWS\SYSTEM\ATLVH.EXE
C:\WINDOWS\APIGT32.EXE
C:\WINDOWS\APISW32.EXE
C:\WINDOWS\SYSTEM\MFCOD32.EXE
C:\WINDOWS\SYSTEM\IERB.EXE
C:\WINDOWS\SYSTEM\ADDVP.EXE
C:\WINDOWS\IPGI.EXE
C:\WINDOWS\CRWA.EXE
C:\WINDOWS\JAVARL32.EXE
C:\WINDOWS\SYSTEM\IEHT.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\SMARTKBD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SAIMON.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\MFCOD32.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.co.uk/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {CE678389-B1E9-4F6F-091A-C8A48544D7B4} - C:\WINDOWS\APPPQ32.DLL
O2 - BHO: Class - {9ABFF989-9ED7-3145-0593-2AEE710D89F0} - C:\WINDOWS\SYSTEM\NTOT32.DLL
O2 - BHO: Class - {B7BB622B-B1F1-9882-B911-97E5AE60D6F8} - C:\WINDOWS\NETFM32.DLL
O2 - BHO: Class - {30C00878-EB52-2D78-229D-BB338A6A366B} - C:\WINDOWS\SYSTEM\APPIQ.DLL
O2 - BHO: Class - {5B2615B7-6BBD-D473-94ED-D7BCCCF24A69} - C:\WINDOWS\SYSTEM\NETTH32.DLL
O2 - BHO: Class - {E95765CD-1144-137D-0886-AD249CF0B30C} - C:\WINDOWS\SYSTEM\JAVATN.DLL
O2 - BHO: Class - {7369E702-7B86-0B57-D101-8BCC1671DEFE} - C:\WINDOWS\MFCFM.DLL
O2 - BHO: Class - {1B05716B-5FEA-54F5-0792-D4CE74369E8C} - C:\WINDOWS\MFCEL.DLL
O2 - BHO: Class - {D7A31A50-316A-7D9B-8712-F2AC67649095} - C:\WINDOWS\WINYC.DLL
O2 - BHO: Class - {544E4536-F6CF-3AEA-758C-3229D8263B6D} - C:\WINDOWS\WINPY.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [Smart Keyboard] C:\Program Files\Netropa\Smart Keyboard\Smartkbd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DataLayer] c:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [APPZO32.EXE] C:\WINDOWS\SYSTEM\APPZO32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [IPLU.EXE] C:\WINDOWS\SYSTEM\IPLU.EXE /s
O4 - HKLM\..\RunServices: [CRSZ32.EXE] C:\WINDOWS\SYSTEM\CRSZ32.EXE /s
O4 - HKLM\..\RunServices: [NTBH.EXE] C:\WINDOWS\NTBH.EXE /s
O4 - HKLM\..\RunServices: [NTQH32.EXE] C:\WINDOWS\SYSTEM\NTQH32.EXE /s
O4 - HKLM\..\RunServices: [MFCOU32.EXE] C:\WINDOWS\MFCOU32.EXE /s
O4 - HKLM\..\RunServices: [D3NO32.EXE] C:\WINDOWS\D3NO32.EXE /s
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [ATLIN.EXE] C:\WINDOWS\ATLIN.EXE /s
O4 - HKLM\..\RunServices: [MFCPZ.EXE] C:\WINDOWS\SYSTEM\MFCPZ.EXE /s
O4 - HKLM\..\RunServices: [IEHK32.EXE] C:\WINDOWS\IEHK32.EXE /s
O4 - HKLM\..\RunServices: [NETJJ.EXE] C:\WINDOWS\NETJJ.EXE /s
O4 - HKLM\..\RunServices: [ATLNF.EXE] C:\WINDOWS\SYSTEM\ATLNF.EXE /s
O4 - HKLM\..\RunServices: [NTLN.EXE] C:\WINDOWS\SYSTEM\NTLN.EXE /s
O4 - HKLM\..\RunServices: [APPTZ.EXE] C:\WINDOWS\SYSTEM\APPTZ.EXE /s
O4 - HKLM\..\RunServices: [ATLVH.EXE] C:\WINDOWS\SYSTEM\ATLVH.EXE /s
O4 - HKLM\..\RunServices: [APIGT32.EXE] C:\WINDOWS\APIGT32.EXE /s
O4 - HKLM\..\RunServices: [APISW32.EXE] C:\WINDOWS\APISW32.EXE /s
O4 - HKLM\..\RunServices: [MFCOD32.EXE] C:\WINDOWS\SYSTEM\MFCOD32.EXE /s
O4 - HKLM\..\RunServices: [IERB.EXE] C:\WINDOWS\SYSTEM\IERB.EXE /s
O4 - HKLM\..\RunServices: [ADDVP.EXE] C:\WINDOWS\SYSTEM\ADDVP.EXE /s
O4 - HKLM\..\RunServices: [IPGI.EXE] C:\WINDOWS\IPGI.EXE /s
O4 - HKLM\..\RunServices: [CRWA.EXE] C:\WINDOWS\CRWA.EXE /s
O4 - HKLM\..\RunServices: [JAVARL32.EXE] C:\WINDOWS\JAVARL32.EXE /s
O4 - HKLM\..\RunServices: [IEHT.EXE] C:\WINDOWS\SYSTEM\IEHT.EXE /s
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAM FILES\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OM_Monitor] C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER\MONITOR.EXE -NoStart
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O19 - User stylesheet: (file missing)

I've run Spybot, Adaware, CWShredder- have NAV running as standard - I appear to have lost IE after Adaware cleaned up. (but that could be coincidence) so I am using Netscape which the two off PC virus checkers recommmended (Panda and another one) don't like.

Any help gratefully received.

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:39 PM

Posted 11 July 2005 - 08:29 AM

If you still need help, could you post a fresh log please?

#3 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 11 July 2005 - 04:58 PM

Hell yes, I'm still having trouble - lol - memory eating ois so bad I'm having trouble opening this window with the txt editor to send the hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 22:40:42, on 11/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\IPLU.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\WINDOWS\NTBH.EXE
C:\WINDOWS\SYSTEM\NTQH32.EXE
C:\WINDOWS\MFCOU32.EXE
C:\WINDOWS\D3NO32.EXE
C:\WINDOWS\JAVASL.EXE
C:\WINDOWS\NETPM32.EXE
C:\WINDOWS\ATLIN.EXE
C:\WINDOWS\SYSTEM\MFCPZ.EXE
C:\WINDOWS\IEHK32.EXE
C:\WINDOWS\NETJJ.EXE
C:\WINDOWS\SYSTEM\ATLNF.EXE
C:\WINDOWS\SYSTEM\NTLN.EXE
C:\WINDOWS\SYSTEM\APPTZ.EXE
C:\WINDOWS\SYSTEM\ATLVH.EXE
C:\WINDOWS\APIGT32.EXE
C:\WINDOWS\APISW32.EXE
C:\WINDOWS\SYSTEM\MFCOD32.EXE
C:\WINDOWS\SYSTEM\IERB.EXE
C:\WINDOWS\SYSTEM\ADDVP.EXE
C:\WINDOWS\IPGI.EXE
C:\WINDOWS\CRWA.EXE
C:\WINDOWS\JAVARL32.EXE
C:\WINDOWS\SYSTEM\IEHT.EXE
C:\WINDOWS\APIBK.EXE
C:\WINDOWS\SYSTEM\SYSNT.EXE
C:\WINDOWS\SYSTEM\MSIV32.EXE
C:\WINDOWS\NETKD.EXE
C:\WINDOWS\D3ES.EXE
C:\WINDOWS\SYSTEM\ATLHL.EXE
C:\WINDOWS\SYSTEM\IPWH.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\SMARTKBD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SAIMON.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\APPZO32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\NTBH.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\WINDOWS\SYSTEM\ATLHL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\usfez.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\usfez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\usfez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\usfez.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\usfez.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\usfez.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\usfez.dll/sp.html#37049
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.co.uk/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {D6D1D346-7057-F52B-A543-62788D0CC38F} - C:\WINDOWS\SYSTEM\NETTZ32.DLL
O2 - BHO: Class - {567853EC-6A6B-3B51-E7C1-1A0813A07790} - C:\WINDOWS\SYSTEM\WINWT32.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [Smart Keyboard] C:\Program Files\Netropa\Smart Keyboard\Smartkbd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DataLayer] c:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [APPZO32.EXE] C:\WINDOWS\SYSTEM\APPZO32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [IPLU.EXE] C:\WINDOWS\SYSTEM\IPLU.EXE /s
O4 - HKLM\..\RunServices: [CRSZ32.EXE] C:\WINDOWS\SYSTEM\CRSZ32.EXE /s
O4 - HKLM\..\RunServices: [NTBH.EXE] C:\WINDOWS\NTBH.EXE /s
O4 - HKLM\..\RunServices: [NTQH32.EXE] C:\WINDOWS\SYSTEM\NTQH32.EXE /s
O4 - HKLM\..\RunServices: [MFCOU32.EXE] C:\WINDOWS\MFCOU32.EXE /s
O4 - HKLM\..\RunServices: [D3NO32.EXE] C:\WINDOWS\D3NO32.EXE /s
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [ATLIN.EXE] C:\WINDOWS\ATLIN.EXE /s
O4 - HKLM\..\RunServices: [MFCPZ.EXE] C:\WINDOWS\SYSTEM\MFCPZ.EXE /s
O4 - HKLM\..\RunServices: [IEHK32.EXE] C:\WINDOWS\IEHK32.EXE /s
O4 - HKLM\..\RunServices: [NETJJ.EXE] C:\WINDOWS\NETJJ.EXE /s
O4 - HKLM\..\RunServices: [ATLNF.EXE] C:\WINDOWS\SYSTEM\ATLNF.EXE /s
O4 - HKLM\..\RunServices: [NTLN.EXE] C:\WINDOWS\SYSTEM\NTLN.EXE /s
O4 - HKLM\..\RunServices: [APPTZ.EXE] C:\WINDOWS\SYSTEM\APPTZ.EXE /s
O4 - HKLM\..\RunServices: [ATLVH.EXE] C:\WINDOWS\SYSTEM\ATLVH.EXE /s
O4 - HKLM\..\RunServices: [APIGT32.EXE] C:\WINDOWS\APIGT32.EXE /s
O4 - HKLM\..\RunServices: [APISW32.EXE] C:\WINDOWS\APISW32.EXE /s
O4 - HKLM\..\RunServices: [MFCOD32.EXE] C:\WINDOWS\SYSTEM\MFCOD32.EXE /s
O4 - HKLM\..\RunServices: [IERB.EXE] C:\WINDOWS\SYSTEM\IERB.EXE /s
O4 - HKLM\..\RunServices: [ADDVP.EXE] C:\WINDOWS\SYSTEM\ADDVP.EXE /s
O4 - HKLM\..\RunServices: [IPGI.EXE] C:\WINDOWS\IPGI.EXE /s
O4 - HKLM\..\RunServices: [CRWA.EXE] C:\WINDOWS\CRWA.EXE /s
O4 - HKLM\..\RunServices: [JAVARL32.EXE] C:\WINDOWS\JAVARL32.EXE /s
O4 - HKLM\..\RunServices: [IEHT.EXE] C:\WINDOWS\SYSTEM\IEHT.EXE /s
O4 - HKLM\..\RunServices: [APIBK.EXE] C:\WINDOWS\APIBK.EXE /s
O4 - HKLM\..\RunServices: [SYSNT.EXE] C:\WINDOWS\SYSTEM\SYSNT.EXE /s
O4 - HKLM\..\RunServices: [MSIV32.EXE] C:\WINDOWS\SYSTEM\MSIV32.EXE /s
O4 - HKLM\..\RunServices: [NETKD.EXE] C:\WINDOWS\NETKD.EXE /s
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE /s
O4 - HKLM\..\RunServices: [ATLHL.EXE] C:\WINDOWS\SYSTEM\ATLHL.EXE /s
O4 - HKLM\..\RunServices: [IPWH.EXE] C:\WINDOWS\SYSTEM\IPWH.EXE /s
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAM FILES\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OM_Monitor] C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER\MONITOR.EXE -NoStart
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O19 - User stylesheet: (file missing)

Will not run anymore ad aware/spybot until you instruct me too. - Over to you Guru.

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:39 PM

Posted 11 July 2005 - 06:07 PM

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Print this topic in the upper RH corner.)

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here.

STEP 2:
Please download Trend Micro CWShredder here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster from RubbeR DuckY here
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.
NOTE: You might want to view this AboutBuster tutorial here first before running the tool.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite
NOTE: The Ewido Security Suite utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite is: Windows 2000 or Windows XP. 1.) Download and install the Ewido Security Suite here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 7:
If you are using Windows 2000 or XP, you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:
  • Workstation NetLogon Service
  • Remote Procedure Call (RPC) Helper
  • Remote Access Service
  • Network Security Service (NSS)
Go to Start => Run and type "Services.msc" (without quotes) then click Ok. 1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
If you are using Windows 2000 or XP, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O.#?´]

If you are using Windows 98, ME, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

STEP 9:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 10:
From Safe Mode, double-click on cwshredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. 1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK. It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.
STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "1xx file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite.
NOTE: Windows 2000 and XP only. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click the Settings button, under What to scan? click Scan every file, click OK.
4.) Click the Complete System Scan button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

STEP 15:
From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file. Make sure you always perform a Windows search for these files after the cleanup. If you are using Windows 2000, or XP, go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows 2000, it will be found here:
  • C:\WINNT\System32
  • C:\WINNT\System
For Windows XP, it will be found here:
  • C:\Windows\System32
  • C:\Windows\System
Now look for the control.exe file.
For Windows 2000 it will be found here:
  • C:\WINNT\System32
For Windows XP it will be found here:
  • C:\Windows\System32
If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.
For Windows 2000, a replacement can be found here:
  • C:\WINNT\System32\dllcache
For Windows XP, a replacement can be found here:
  • C:\Windows\System32\dllcache
Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here.
Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.
If you are using Windows 98, ME please download shell.dll or control.exe from here.
Once the file(s) are downloaded extract the file and copy it to the following locations:
Place control.exe here:
  • C:\Windows
Place shell.dll here:
  • C:\Windows\System
If you are still experiencing problems after completing the removal steps above, please post your HijackThis log in the Spyware/Malware Help forum for review.

#5 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 12 July 2005 - 02:07 PM

Thanks for that - am away to try this out - wish me luck and see you on the other side






I hope............. :thumbsup:

#6 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 12 July 2005 - 05:30 PM

Seems I still have problems. Will post new log in the spyware/malware section - thanks for trying

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:39 PM

Posted 12 July 2005 - 05:32 PM

YOu need to post your log here so that I can still seewhat is happening. That isn't going to fix everything, and if you had problems, then I need t oknow what they were so that I can help you. This is the only fix for the infection that you have.

#8 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 12 July 2005 - 05:42 PM

Sorry misread your instruction (of where to post)

New Log

Logfile of HijackThis v1.99.1
Scan saved at 23:29:50, on 12/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\IPLU.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\WINDOWS\NTBH.EXE
C:\WINDOWS\SYSTEM\NTQH32.EXE
C:\WINDOWS\MFCOU32.EXE
C:\WINDOWS\D3NO32.EXE
C:\WINDOWS\JAVASL.EXE
C:\WINDOWS\NETPM32.EXE
C:\WINDOWS\ATLIN.EXE
C:\WINDOWS\SYSTEM\MFCPZ.EXE
C:\WINDOWS\IEHK32.EXE
C:\WINDOWS\NETJJ.EXE
C:\WINDOWS\SYSTEM\ATLNF.EXE
C:\WINDOWS\SYSTEM\NTLN.EXE
C:\WINDOWS\SYSTEM\APPTZ.EXE
C:\WINDOWS\SYSTEM\ATLVH.EXE
C:\WINDOWS\APIGT32.EXE
C:\WINDOWS\APISW32.EXE
C:\WINDOWS\SYSTEM\MFCOD32.EXE
C:\WINDOWS\SYSTEM\IERB.EXE
C:\WINDOWS\SYSTEM\ADDVP.EXE
C:\WINDOWS\IPGI.EXE
C:\WINDOWS\CRWA.EXE
C:\WINDOWS\JAVARL32.EXE
C:\WINDOWS\SYSTEM\IEHT.EXE
C:\WINDOWS\APIBK.EXE
C:\WINDOWS\SYSTEM\SYSNT.EXE
C:\WINDOWS\SYSTEM\MSIV32.EXE
C:\WINDOWS\NETKD.EXE
C:\WINDOWS\D3ES.EXE
C:\WINDOWS\SYSTEM\ATLHL.EXE
C:\WINDOWS\SYSTEM\IPWH.EXE
C:\WINDOWS\SYSTEM\APIJU.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\SMARTKBD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SAIMON.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\APPZO32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\JAVARL32.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\SYSTEM\ATLHL.EXE
C:\WINDOWS\JAVAYM.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lpray.dll/sp.html#37049
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.co.uk/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\NTWB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [Smart Keyboard] C:\Program Files\Netropa\Smart Keyboard\Smartkbd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DataLayer] c:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [APPZO32.EXE] C:\WINDOWS\SYSTEM\APPZO32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [IPLU.EXE] C:\WINDOWS\SYSTEM\IPLU.EXE /s
O4 - HKLM\..\RunServices: [CRSZ32.EXE] C:\WINDOWS\SYSTEM\CRSZ32.EXE /s
O4 - HKLM\..\RunServices: [NTBH.EXE] C:\WINDOWS\NTBH.EXE /s
O4 - HKLM\..\RunServices: [NTQH32.EXE] C:\WINDOWS\SYSTEM\NTQH32.EXE /s
O4 - HKLM\..\RunServices: [MFCOU32.EXE] C:\WINDOWS\MFCOU32.EXE /s
O4 - HKLM\..\RunServices: [D3NO32.EXE] C:\WINDOWS\D3NO32.EXE /s
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [ATLIN.EXE] C:\WINDOWS\ATLIN.EXE /s
O4 - HKLM\..\RunServices: [MFCPZ.EXE] C:\WINDOWS\SYSTEM\MFCPZ.EXE /s
O4 - HKLM\..\RunServices: [IEHK32.EXE] C:\WINDOWS\IEHK32.EXE /s
O4 - HKLM\..\RunServices: [NETJJ.EXE] C:\WINDOWS\NETJJ.EXE /s
O4 - HKLM\..\RunServices: [ATLNF.EXE] C:\WINDOWS\SYSTEM\ATLNF.EXE /s
O4 - HKLM\..\RunServices: [NTLN.EXE] C:\WINDOWS\SYSTEM\NTLN.EXE /s
O4 - HKLM\..\RunServices: [APPTZ.EXE] C:\WINDOWS\SYSTEM\APPTZ.EXE /s
O4 - HKLM\..\RunServices: [ATLVH.EXE] C:\WINDOWS\SYSTEM\ATLVH.EXE /s
O4 - HKLM\..\RunServices: [APIGT32.EXE] C:\WINDOWS\APIGT32.EXE /s
O4 - HKLM\..\RunServices: [APISW32.EXE] C:\WINDOWS\APISW32.EXE /s
O4 - HKLM\..\RunServices: [MFCOD32.EXE] C:\WINDOWS\SYSTEM\MFCOD32.EXE /s
O4 - HKLM\..\RunServices: [IERB.EXE] C:\WINDOWS\SYSTEM\IERB.EXE /s
O4 - HKLM\..\RunServices: [ADDVP.EXE] C:\WINDOWS\SYSTEM\ADDVP.EXE /s
O4 - HKLM\..\RunServices: [IPGI.EXE] C:\WINDOWS\IPGI.EXE /s
O4 - HKLM\..\RunServices: [CRWA.EXE] C:\WINDOWS\CRWA.EXE /s
O4 - HKLM\..\RunServices: [JAVARL32.EXE] C:\WINDOWS\JAVARL32.EXE /s
O4 - HKLM\..\RunServices: [IEHT.EXE] C:\WINDOWS\SYSTEM\IEHT.EXE /s
O4 - HKLM\..\RunServices: [APIBK.EXE] C:\WINDOWS\APIBK.EXE /s
O4 - HKLM\..\RunServices: [SYSNT.EXE] C:\WINDOWS\SYSTEM\SYSNT.EXE /s
O4 - HKLM\..\RunServices: [MSIV32.EXE] C:\WINDOWS\SYSTEM\MSIV32.EXE /s
O4 - HKLM\..\RunServices: [NETKD.EXE] C:\WINDOWS\NETKD.EXE /s
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE /s
O4 - HKLM\..\RunServices: [ATLHL.EXE] C:\WINDOWS\SYSTEM\ATLHL.EXE /s
O4 - HKLM\..\RunServices: [IPWH.EXE] C:\WINDOWS\SYSTEM\IPWH.EXE /s
O4 - HKLM\..\RunServices: [APIJU.EXE] C:\WINDOWS\SYSTEM\APIJU.EXE /s
O4 - HKLM\..\RunServices: [JAVAYM.EXE] C:\WINDOWS\JAVAYM.EXE /s
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAM FILES\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OM_Monitor] C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER\MONITOR.EXE -NoStart
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O19 - User stylesheet: (file missing)


**************

NOTES - Adbuster doesn't like running as my machine isn't NTFS

CWShredder found no sign of CoolWebSearch.
Escan found no virus's
Ewido won't run on my system
Adaware found numerous parts of CoolWebSearch.
Step 16, two temp files won't delete. Jetf8ae.tmp and Wcescomm.log

shell.dll didn't get deleted - control.exe has been.

#9 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 12 July 2005 - 05:47 PM

Tis nearly midnight here - will be back same bat time, same bat channel tomorrow, so no rush :thumbsup:

Thanks again

#10 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:39 PM

Posted 12 July 2005 - 05:52 PM

About:Buster will work just fine. It will tell you that you don't have an NTFS system, and then it will go right on and run anyway. It's not really an error message, but I can understand why you would think it was.

Hope you didn't think I was grumping at you. I definately didn't mean to come across like that. :thumbsup:

#11 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 13 July 2005 - 04:28 PM

Not taken as such.

Sorry, most likely me being stressed at not being able to fix the damn thing - lol - so what do I do next, please. oh Guru?

#12 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 13 July 2005 - 05:53 PM

Updated







Logfile of HijackThis v1.99.1
Scan saved at 23:42:39, on 13/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\IPLU.EXE
C:\WINDOWS\SYSTEM\CRSZ32.EXE
C:\WINDOWS\NTBH.EXE
C:\WINDOWS\SYSTEM\NTQH32.EXE
C:\WINDOWS\MFCOU32.EXE
C:\WINDOWS\D3NO32.EXE
C:\WINDOWS\JAVASL.EXE
C:\WINDOWS\NETPM32.EXE
C:\WINDOWS\ATLIN.EXE
C:\WINDOWS\SYSTEM\MFCPZ.EXE
C:\WINDOWS\IEHK32.EXE
C:\WINDOWS\NETJJ.EXE
C:\WINDOWS\SYSTEM\ATLNF.EXE
C:\WINDOWS\SYSTEM\NTLN.EXE
C:\WINDOWS\SYSTEM\APPTZ.EXE
C:\WINDOWS\SYSTEM\ATLVH.EXE
C:\WINDOWS\APIGT32.EXE
C:\WINDOWS\APISW32.EXE
C:\WINDOWS\SYSTEM\MFCOD32.EXE
C:\WINDOWS\SYSTEM\IERB.EXE
C:\WINDOWS\SYSTEM\ADDVP.EXE
C:\WINDOWS\IPGI.EXE
C:\WINDOWS\CRWA.EXE
C:\WINDOWS\JAVARL32.EXE
C:\WINDOWS\SYSTEM\IEHT.EXE
C:\WINDOWS\APIBK.EXE
C:\WINDOWS\SYSTEM\SYSNT.EXE
C:\WINDOWS\SYSTEM\MSIV32.EXE
C:\WINDOWS\NETKD.EXE
C:\WINDOWS\D3ES.EXE
C:\WINDOWS\SYSTEM\ATLHL.EXE
C:\WINDOWS\SYSTEM\IPWH.EXE
C:\WINDOWS\SYSTEM\APIJU.EXE
C:\WINDOWS\JAVAYM.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\SMARTKBD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SAIMON.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\APPZO32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\IPGI.EXE
C:\WINDOWS\NTBH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.co.uk/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\NTWB.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [Smart Keyboard] C:\Program Files\Netropa\Smart Keyboard\Smartkbd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DataLayer] c:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [APPZO32.EXE] C:\WINDOWS\SYSTEM\APPZO32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [IPLU.EXE] C:\WINDOWS\SYSTEM\IPLU.EXE /s
O4 - HKLM\..\RunServices: [CRSZ32.EXE] C:\WINDOWS\SYSTEM\CRSZ32.EXE /s
O4 - HKLM\..\RunServices: [NTBH.EXE] C:\WINDOWS\NTBH.EXE /s
O4 - HKLM\..\RunServices: [NTQH32.EXE] C:\WINDOWS\SYSTEM\NTQH32.EXE /s
O4 - HKLM\..\RunServices: [MFCOU32.EXE] C:\WINDOWS\MFCOU32.EXE /s
O4 - HKLM\..\RunServices: [D3NO32.EXE] C:\WINDOWS\D3NO32.EXE /s
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [ATLIN.EXE] C:\WINDOWS\ATLIN.EXE /s
O4 - HKLM\..\RunServices: [MFCPZ.EXE] C:\WINDOWS\SYSTEM\MFCPZ.EXE /s
O4 - HKLM\..\RunServices: [IEHK32.EXE] C:\WINDOWS\IEHK32.EXE /s
O4 - HKLM\..\RunServices: [NETJJ.EXE] C:\WINDOWS\NETJJ.EXE /s
O4 - HKLM\..\RunServices: [ATLNF.EXE] C:\WINDOWS\SYSTEM\ATLNF.EXE /s
O4 - HKLM\..\RunServices: [NTLN.EXE] C:\WINDOWS\SYSTEM\NTLN.EXE /s
O4 - HKLM\..\RunServices: [APPTZ.EXE] C:\WINDOWS\SYSTEM\APPTZ.EXE /s
O4 - HKLM\..\RunServices: [ATLVH.EXE] C:\WINDOWS\SYSTEM\ATLVH.EXE /s
O4 - HKLM\..\RunServices: [APIGT32.EXE] C:\WINDOWS\APIGT32.EXE /s
O4 - HKLM\..\RunServices: [APISW32.EXE] C:\WINDOWS\APISW32.EXE /s
O4 - HKLM\..\RunServices: [MFCOD32.EXE] C:\WINDOWS\SYSTEM\MFCOD32.EXE /s
O4 - HKLM\..\RunServices: [IERB.EXE] C:\WINDOWS\SYSTEM\IERB.EXE /s
O4 - HKLM\..\RunServices: [ADDVP.EXE] C:\WINDOWS\SYSTEM\ADDVP.EXE /s
O4 - HKLM\..\RunServices: [IPGI.EXE] C:\WINDOWS\IPGI.EXE /s
O4 - HKLM\..\RunServices: [CRWA.EXE] C:\WINDOWS\CRWA.EXE /s
O4 - HKLM\..\RunServices: [JAVARL32.EXE] C:\WINDOWS\JAVARL32.EXE /s
O4 - HKLM\..\RunServices: [IEHT.EXE] C:\WINDOWS\SYSTEM\IEHT.EXE /s
O4 - HKLM\..\RunServices: [APIBK.EXE] C:\WINDOWS\APIBK.EXE /s
O4 - HKLM\..\RunServices: [SYSNT.EXE] C:\WINDOWS\SYSTEM\SYSNT.EXE /s
O4 - HKLM\..\RunServices: [MSIV32.EXE] C:\WINDOWS\SYSTEM\MSIV32.EXE /s
O4 - HKLM\..\RunServices: [NETKD.EXE] C:\WINDOWS\NETKD.EXE /s
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE /s
O4 - HKLM\..\RunServices: [ATLHL.EXE] C:\WINDOWS\SYSTEM\ATLHL.EXE /s
O4 - HKLM\..\RunServices: [IPWH.EXE] C:\WINDOWS\SYSTEM\IPWH.EXE /s
O4 - HKLM\..\RunServices: [APIJU.EXE] C:\WINDOWS\SYSTEM\APIJU.EXE /s
O4 - HKLM\..\RunServices: [JAVAYM.EXE] C:\WINDOWS\JAVAYM.EXE /s
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAM FILES\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "smartfinder" "2"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OM_Monitor] C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER\MONITOR.EXE -NoStart
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O19 - User stylesheet: (file missing)

#13 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:39 PM

Posted 13 July 2005 - 06:59 PM

It's still there, but we are gaining ground. Let's try this in a bit different order. You are going to have to disable Norton. I'm thinking it may be preventing the fixes from working properly.

Boot into safe mode.

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on Fix Checked
.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C4322B27-0B19-D263-F955-4B1DF8B80E2E} - C:\WINDOWS\NTWB.DLL
O4 - HKLM\..\RunServices: [IPLU.EXE] C:\WINDOWS\SYSTEM\IPLU.EXE /s
O4 - HKLM\..\RunServices: [CRSZ32.EXE] C:\WINDOWS\SYSTEM\CRSZ32.EXE /s
O4 - HKLM\..\RunServices: [NTBH.EXE] C:\WINDOWS\NTBH.EXE /s
O4 - HKLM\..\RunServices: [NTQH32.EXE] C:\WINDOWS\SYSTEM\NTQH32.EXE /s
O4 - HKLM\..\RunServices: [MFCOU32.EXE] C:\WINDOWS\MFCOU32.EXE /s
O4 - HKLM\..\RunServices: [D3NO32.EXE] C:\WINDOWS\D3NO32.EXE /s
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [ATLIN.EXE] C:\WINDOWS\ATLIN.EXE /s
O4 - HKLM\..\RunServices: [MFCPZ.EXE] C:\WINDOWS\SYSTEM\MFCPZ.EXE /s
O4 - HKLM\..\RunServices: [IEHK32.EXE] C:\WINDOWS\IEHK32.EXE /s
O4 - HKLM\..\RunServices: [NETJJ.EXE] C:\WINDOWS\NETJJ.EXE /s
O4 - HKLM\..\RunServices: [ATLNF.EXE] C:\WINDOWS\SYSTEM\ATLNF.EXE /s
O4 - HKLM\..\RunServices: [NTLN.EXE] C:\WINDOWS\SYSTEM\NTLN.EXE /s
O4 - HKLM\..\RunServices: [APPTZ.EXE] C:\WINDOWS\SYSTEM\APPTZ.EXE /s
O4 - HKLM\..\RunServices: [ATLVH.EXE] C:\WINDOWS\SYSTEM\ATLVH.EXE /s
O4 - HKLM\..\RunServices: [APIGT32.EXE] C:\WINDOWS\APIGT32.EXE /s
O4 - HKLM\..\RunServices: [APISW32.EXE] C:\WINDOWS\APISW32.EXE /s
O4 - HKLM\..\RunServices: [MFCOD32.EXE] C:\WINDOWS\SYSTEM\MFCOD32.EXE /s
O4 - HKLM\..\RunServices: [IERB.EXE] C:\WINDOWS\SYSTEM\IERB.EXE /s
O4 - HKLM\..\RunServices: [ADDVP.EXE] C:\WINDOWS\SYSTEM\ADDVP.EXE /s
O4 - HKLM\..\RunServices: [IPGI.EXE] C:\WINDOWS\IPGI.EXE /s
O4 - HKLM\..\RunServices: [CRWA.EXE] C:\WINDOWS\CRWA.EXE /s
O4 - HKLM\..\RunServices: [JAVARL32.EXE] C:\WINDOWS\JAVARL32.EXE /s
O4 - HKLM\..\RunServices: [IEHT.EXE] C:\WINDOWS\SYSTEM\IEHT.EXE /s
O4 - HKLM\..\RunServices: [APIBK.EXE] C:\WINDOWS\APIBK.EXE /s
O4 - HKLM\..\RunServices: [SYSNT.EXE] C:\WINDOWS\SYSTEM\SYSNT.EXE /s
O4 - HKLM\..\RunServices: [MSIV32.EXE] C:\WINDOWS\SYSTEM\MSIV32.EXE /s
O4 - HKLM\..\RunServices: [NETKD.EXE] C:\WINDOWS\NETKD.EXE /s
O4 - HKLM\..\RunServices: [D3ES.EXE] C:\WINDOWS\D3ES.EXE /s
O4 - HKLM\..\RunServices: [ATLHL.EXE] C:\WINDOWS\SYSTEM\ATLHL.EXE /s
O4 - HKLM\..\RunServices: [IPWH.EXE] C:\WINDOWS\SYSTEM\IPWH.EXE /s
O4 - HKLM\..\RunServices: [APIJU.EXE] C:\WINDOWS\SYSTEM\APIJU.EXE /s
O4 - HKLM\..\RunServices: [JAVAYM.EXE] C:\WINDOWS\JAVAYM.EXE /s
********************************************************

Run About:Buster.

This next step is very important..please don't skip it. :thumbsup:

copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Reboot and post a new log.:flowers:

#14 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 14 July 2005 - 12:58 PM

Ok Boss - am away to try this out - thanks.

#15 villavengore

villavengore
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 14 July 2005 - 03:19 PM

"I'm back........"

Still getting something trying to dial out. don't seem to have anywhere near as many programs running - result!

Here is the voting from Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 21:17:11, on 14/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\SMARTKBD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NOKIA\NOKIA PC SUITE 5\DATALAYER.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\NETROPA\SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SAIMON.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\APPZO32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\JAVASL.EXE
C:\WINDOWS\JAVASL.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\SERVICES\SERVICELAYER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\HJT\HIJACKTHIS.EXE

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.co.uk/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b5yvd6d1.slt\prefs.js)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: Class - {61A3DA46-D907-EE5C-9D78-A0D50ABE2E3D} - C:\WINDOWS\SYSTEM\MSJP32.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [Smart Keyboard] C:\Program Files\Netropa\Smart Keyboard\Smartkbd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DataLayer] c:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SAIMON] C:\WINDOWS\SYSTEM\SaiMon.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [APPZO32.EXE] C:\WINDOWS\SYSTEM\APPZO32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] c:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE /s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [OM_Monitor] C:\PROGRAM FILES\OLYMPUS\OLYMPUS MASTER\MONITOR.EXE -NoStart
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~5\INETREPL.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab



Back to you Maestro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users