Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Spaces Space


  • Please log in to reply
12 replies to this topic

#1 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 November 2005 - 04:04 AM

Howdy Space and Welcome to our Bleeping Computer Help Forums!


Lets have a look at whats happening at Start Up?


Download HijackThis from here
http://www.bleepingcomputer.com/files/hijackthis.php

Grinlers HJT Tutorial
http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/


Open HijackThis and Click the "Open Misc Tools Section"

Once there follow these instructions to generate a HijackThis StartUp list Log

Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!



After thats completed,Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


In the next reply,post the WinPFind log.

In a seperate reply,post the HijackThis Startup List log.



Lemme see what I can see

BC AdBot (Login to Remove)

 


#2 SpaceFreely

SpaceFreely

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 19 November 2005 - 04:47 AM

StartupList report, 11/19/05, 4:36:27 AM
StartupList version: 1.52.2
Started from : C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\PROGRAM FILES\CIA\CALLWAVEACCEL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\PHONETOOLS\PHONTOOL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
CallWave.lnk = C:\Program Files\CallWave\IAM.EXE
CallWave Accelerator.lnk = C:\Program Files\CIA\callwaveaccel.exe
EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
PowerReg SchedulerV2.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Symantec Core LC = C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
EnsoniqMixer = starter.exe
POINTER = point32.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /installquiet
CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
NPFMonitor = C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 18/11/2005, 20:0:52)


--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\SBPCI\SBINIT
LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\CIA\PBHELPER.DLL - {4115122B-85FF-4DD3-9515-F075BEDE5EB5}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[CWDL_DownLoadControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CWDL_DOWNLOAD.DLL
CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8673.1463657407

[Java Plug-in 1.4.2_10]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in 1.4.2_10]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_10\bin\npjpi142_10.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\PROGRAM FILES\CIA\sliplsp.dll
Protocol #2: C:\PROGRAM FILES\CIA\sliplsp.dll
Protocol #3: C:\PROGRAM FILES\CIA\sliplsp.dll
Protocol #4: C:\PROGRAM FILES\CIA\sliplsp.dll
Protocol #5: C:\PROGRAM FILES\CIA\sliplsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #9: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #10: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #11: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #12: C:\PROGRAM FILES\CIA\sliplsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
SYMTDI: SYMTDI.VXD
VREDIR: vredir.vxd
DFS: dfs.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,388 bytes
Report generated in 7.081 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 November 2005 - 09:29 AM

I dont see much there,go ahead and describe in detail,exactly what happens at StartUp.

Use the Pause-Break key on the keyboard to pause the boot at anytime if you need to document file or folder names.

I need as much info as you can provide and also would like to see the WinPFind log as well.

#4 SpaceFreely

SpaceFreely

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 19 November 2005 - 10:57 AM

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts


Checking %System% folder...

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/19/05 5:05:02 AM RH 6807584 C:\WINDOWS\SYSTEM.DAT
11/19/05 5:05:02 AM RH 471072 C:\WINDOWS\USER.DAT
11/16/05 9:35:46 PM RH 180256 C:\WINDOWS\HWINFO.DAT
11/16/05 9:34:54 PM H 13122 C:\WINDOWS\folder.htt
11/16/05 9:34:54 PM H 266 C:\WINDOWS\desktop.ini
11/19/05 5:02:08 AM H 917248 C:\WINDOWS\ShellIconCache
11/17/05 11:14:56 PM RH 720896 C:\WINDOWS\DefaultStore_59R.bin
11/17/05 11:14:56 PM RH 720896 C:\WINDOWS\UserMigratedStore_59R.bin
11/19/05 3:43:50 AM H 24604 C:\WINDOWS\ttfCache
11/16/05 9:34:54 PM H 13122 C:\WINDOWS\SYSTEM\folder.htt
11/16/05 9:34:54 PM H 266 C:\WINDOWS\SYSTEM\desktop.ini
11/16/05 10:19:36 PM RH 0 C:\WINDOWS\SYSTEM\sfp\MSCREATE.DIR
11/16/05 10:19:36 PM RH 0 C:\WINDOWS\SYSTEM\sfp\ie\MSCREATE.DIR
11/18/05 10:28:10 AM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\desktop.ini
11/18/05 10:28:10 AM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\MZAR85YF\desktop.ini
11/18/05 10:28:10 AM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\8DQ7GPQ3\desktop.ini
11/18/05 10:28:10 AM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\6BM7EL45\desktop.ini
11/18/05 10:28:10 AM HS 67 C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\H41ELXG1\desktop.ini
11/18/05 10:28:10 AM HS 113 C:\WINDOWS\TEMP\History\History.IE5\desktop.ini
11/17/05 11:56:00 PM H 9793 C:\WINDOWS\HELP\windows.GID
11/16/05 9:34:54 PM H 13122 C:\WINDOWS\SYSTEM32\folder.htt
11/16/05 9:34:54 PM H 266 C:\WINDOWS\SYSTEM32\desktop.ini
11/16/05 9:34:54 PM H 19600 C:\WINDOWS\WEB\WVLOGO.GIF
11/16/05 9:34:54 PM H 4204 C:\WINDOWS\WEB\CONTROLP.HTT
11/16/05 9:34:54 PM H 11530 C:\WINDOWS\WEB\FOLDER.HTT
11/16/05 9:34:54 PM H 4988 C:\WINDOWS\WEB\MYCOMP.HTT
11/16/05 9:34:54 PM H 5044 C:\WINDOWS\WEB\PRINTERS.HTT
11/16/05 9:34:56 PM H 855 C:\WINDOWS\WEB\webview.css
11/16/05 9:34:56 PM H 14258 C:\WINDOWS\WEB\default.htt
11/16/05 9:34:56 PM H 5403 C:\WINDOWS\WEB\nethood.htt
11/16/05 9:34:56 PM H 8088 C:\WINDOWS\WEB\recycle.htt
11/16/05 9:34:56 PM H 5495 C:\WINDOWS\WEB\schedule.htt
11/16/05 9:34:56 PM H 5521 C:\WINDOWS\WEB\dialup.htt
11/16/05 9:34:56 PM H 44686 C:\WINDOWS\WEB\wvleft.bmp
11/16/05 9:34:56 PM H 840 C:\WINDOWS\WEB\wvline.gif
11/16/05 9:34:56 PM H 10931 C:\WINDOWS\WEB\ftp.htt
11/19/05 3:45:36 AM HS 5796 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
11/17/05 11:14:22 PM HS 1536 C:\WINDOWS\All Users\DRM\drmv2.lic
11/17/05 11:14:22 PM HS 1536 C:\WINDOWS\All Users\DRM\drmv2.sst
11/16/05 9:34:46 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
11/16/05 9:34:46 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
11/16/05 9:34:54 PM H 156 C:\WINDOWS\Favorites\desktop.ini
11/16/05 10:23:04 PM HS 67 C:\WINDOWS\Temporary Internet Files\desktop.ini
11/16/05 9:35:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
11/16/05 9:35:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\EBI1O3KP\desktop.ini
11/16/05 9:35:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\23EZS1UB\desktop.ini
11/16/05 9:35:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\CP6RC5QB\desktop.ini
11/16/05 9:35:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\M3YT4Z4J\desktop.ini
11/16/05 9:35:50 PM HS 113 C:\WINDOWS\History\desktop.ini
11/16/05 9:35:50 PM HS 113 C:\WINDOWS\History\History.IE5\desktop.ini
11/19/05 3:45:28 AM H 6 C:\WINDOWS\Tasks\SA.DAT
11/17/05 4:21:32 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 7952 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 2/10/99 11:48:48 AM 40960 C:\WINDOWS\SYSTEM\FINDFAST.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 C:\WINDOWS\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 C:\WINDOWS\SYSTEM\JOY.CPL
NVIDIA Corporation 5/3/02 10:06:00 AM 106496 C:\WINDOWS\SYSTEM\nvtuicpl.cpl
Sun Microsystems 10/10/05 4:29:28 PM 61555 C:\WINDOWS\SYSTEM\jpicpl32.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
11/17/05 6:22:32 AM 402 C:\WINDOWS\Start Menu\Programs\StartUp\CallWave Accelerator.lnk
11/17/05 6:16:10 AM 388 C:\WINDOWS\Start Menu\Programs\StartUp\CallWave.lnk
11/17/05 11:50:14 PM 309 C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check.lnk
11/17/05 5:30:18 AM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
11/17/05 11:50:54 PM 256000 C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg SchedulerV2.exe
11/18/05 8:54:38 AM 404 C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk

Checking files in %USERPROFILE%\Application Data folder...
11/19/05 2:35:32 AM 170 C:\WINDOWS\Application Data\dw.log
11/19/05 5:02:34 AM 73 C:\WINDOWS\Application Data\ieproxy.bak
11/19/05 5:02:02 AM 4194441 C:\WINDOWS\Application Data\sdi.db

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Yahoo! Toolbar Helper = C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4115122B-85FF-4DD3-9515-F075BEDE5EB5}
PBlockHelper Class = C:\PROGRAM FILES\CIA\PBHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\SYSTEM\MSJAVA.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Symantec Core LC C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
EnsoniqMixer starter.exe
POINTER point32.exe
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz nwiz.exe /installquiet
CriticalUpdate C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
MSFS Installed = 1
MAPI Installed = 1
IMAIL Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent mstask.exe
ccEvtMgr "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
NPFMonitor C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
ScriptBlocking "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
KB891711 C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce-]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/19/05 5:10:03 AM

#5 SpaceFreely

SpaceFreely

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 19 November 2005 - 11:43 AM

at start up i see the gateway logo and at the bottom it says to display system message press <tab> key then i see the microsoft windows 98 logo then i see the dos prompt and it says c:\> set blaster=a220 17 d1 h7 p330 t6 c:\>set sbpci=c:\sbpci then the desktop appears the the taskbar appears then the icons appear then the programs start loading in the taskbar (thats the word i think i was looking for last night) at the bottom right corner and as this is happening the C:\Program Files\Common folder opens and norton is the last program to load

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 November 2005 - 05:11 AM

Im waiting on an extra set of eyes that is more Windows 98 inclined than myself.


Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#win98

Look in the C:\Program Files\Common Files folder and tell what all you see inside there?

#7 SpaceFreely

SpaceFreely

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 20 November 2005 - 09:59 AM

I see nothing in there.

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 November 2005 - 10:50 AM

Now this is interesting.

Something from Symantec should be in that folder

C:\Program Files\Common Files\Symantec Shared\ccApp.exe


Maybe the Installation of Norton went crappy or just got corrupted somehow?

You can try Uninstalling and Reinstalling the Symantec Product.

Not sure exactly what you have but symantecs Help site is very useful in these cases.

#9 SpaceFreely

SpaceFreely

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 20 November 2005 - 11:31 AM

the folder is not C:\Program Files\Common Files\Symantec Shared or C:\Program Files\Common Files for that matter. It is C:\Program Files\Common not "Common Files"

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 November 2005 - 12:09 PM

Sorry I misunderstood you.

Ive not heard of a folder called Common in the Program Files folder,thats what threw me.

And you stated nothing was in the folder either,correct.

Lets see if Billsway Reg Search will run on your machine

Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter C:\Program Files\Common and see whatif any returns you get?

#11 SpaceFreely

SpaceFreely

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 20 November 2005 - 12:58 PM

No instances of C:\Program Files\Common found

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 November 2005 - 01:38 PM

Im at a loss now,all I can think of is the Symantec issue that has been known to be associated with this.

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:52 PM

Posted 23 November 2005 - 08:47 AM

Hi SpaceFreely. I believe that this is the culprit line:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Symantec Core LC C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

I think it is being read incorrectly and should be enclosed in quotes to be read properly. Let's update it and see what happens.

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec Core LC"=-
"Symantec Core LC"="\"C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe\" start"


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer and see if the rouge folder opens up now.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users