Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

GENERALLY SCREWED UP


  • Please log in to reply

#76
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

No problem. I can wait.

By the way, my kids talk on-line with AIM and my daughter is a Xanga nut. Do I need to do something about that? I was talking to some buddies tonight and they were bemoaning those two specific sites/applications. Thank goodness I don't let them download music.

Just so I know, what about on-line games? Any bad sites there (I know, dumb question)?

Thanks,
DR04
  • 0

Advertisements


#77
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
ok, got a couple of steps for you. its kinda new so bear with me on this.

You will need to print out these directions. the Kav process has been modified for your machine

first, please navigate to c:\windows\temp and delete everything in that folder. do not delete the folder itself

next do the following.

Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

Note: You must get the KAV updates before scanning
Detailed instructions for updating are below.


Go here to download the free KAV Personal 5.0 Trial (good for 30 days)
http://www.kaspersky.com/index.html

OR HERE:
http://downloads1.ka..._personalen.exe
http://downloads2.ka..._personalen.exe
ftp://downloads1.kaspersky-labs.com/trial..._personalen.exe
ftp://downloads3.kaspersky-labs.com/trial..._personalen.exe

Click on *downloads* on the left menu

Then scroll down and click on *trial versions*

Then choose *Kaspersky Anti-Virus Personal 5.0*

You will then have a list of the trial downloads to choose from (choose a location closest to you)

Choose *save* and it should create and save to a KAV folder on your hard drive

Navigate to the KAV folder and doubleclick on kav5.0trial_personalen.exe to install it.

You will see this screen showing the default folder it will install into. Click on *next*
If KAV detects another AV running on your PC it will advise you to uninstall it.
You can do that or you can disable the existing AV program and then press *yes* to continue.
The way to disable resident protection differs for different anti-virus programs. You might try right clicking on the icon for your AV program in the Windows System tray (on the lower right hand part of the screen) and looking at the different options.
Alternatively, you may disable your AV from starting with Windows using msconfig (Start > Run and type msconfig and OK. Click on the Startup Tab, uncheck all the startups relating to your AntiVirus and reboot).
The important thing is to set your current AV *not* to scan as your files are accessed, so that KAV can do its job
Next you will see the Kaspersky Anti-Virus Personal 5.0 Setup Wizard. It will advise you to close all other applications before starting setup. Do that and then press *Next* to continue.

You will then be presented with the License Agreement. Read that and when done you can agree to continue.

Next is the Customer Information screen. Just fill that in as you prefer and click on *next* to continue

You will be presented with some important KAV notes. Copy these and save in Wordpad to refer back to if needed.

Please remove the green checkmark the box that says *Operate according to Recommended settings* This is so we can do a custom install.
Press *next* to continue after you have read those and unchecked the box for recommended settings

On the next screen, please uncheck the box for *use real-time protection against network attacks*
This has been known to cause problems on PCs running certain firewalls, you can try enabling it later after the initial install and scan.
You may leave the *iStreams technology* box checked if you like (I did) but it is generally recommended not to checkmark that box if you are going to uninstall KAV again after the infection has been removed.

Now it will choose the Destination folder (mine was fine as pre-selected by KAV). Click *next* to continue

Now you will get the *finish* screen

KAV will now open. If you are running a firewall, allow KAV to connect to get the updates it needs. Wait while the updates are downloaded and installed
Now get the *extended database* of updates as well, to remove the AdWare that Virus.Win32.Bube. may have downloaded. Look under *Settings*, and then
  • Configure Updater* Choose Extended Database. Click *OK* and then Check for Updates and you will get another smaller update which will install.
    Now click on *Settings* and choose *Configure On-demand scan settings* and select
  • Perform recommended action* and click *OK*. You might prefer to set the scan level to maximum, just to be sure that nothing is hiding in an email database.
SCANNING
Close KAV and any open programs you have running.

It is recommended you run the scan in SAFE MODE
  • Boot into safe mode.
  • Physically Disconnect from the Internet
  • Open KAV but do not start the scan yet
  • now and this is very important :
  • Press Ctrl + ALT+DEL and bring up task manager, highlight explorer and click on Kill process
  • computer wants to reboot
  • press (and hold) ctrl+shift+alt
  • and click no
  • explorer killed
Now your desktop will go blank and you will have no taskbar or menu etc you will still have taskmanager and KAV open on desktop so do not close them
  • Now Start a full system scan. Click on the protection tab and Choose *Scan My Computer
  • It will take some time probably 2 or 3 hours and will delete any infected files it finds
  • KAV will disinfect all files detected as Virus.Win32.Bube and many related malware it has downloaded.
  • when it has finished reboot into normal mode
Additional cleanup may be needed. Please be sure to post in the forum if you have any questions.

IMPORTANT NOTE! This virus changes security settings your trusted zone and in the Windows Security Center. Please be sure to check all of your security settings After disinfecting.


download http://www.ewido.net/en/download/
update it..
boot in safe mode
perform full scan
click yes when ewido asks for deletion/removal
save the log
and post that log with new hijackthislog
  • 0

#78
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

This will take some time to get to. Won't get home from work until late tonight and have to leave early tomorrow morning. Might not be able to get to this until tomorrow night.

FYI, the last time I was in SAFE MODE and pressed CTRL+ALT+DEL, the only 'process' that showed up in the "Close Programs" window was Rundll32. I can highlight it and select 'End Task', but last time my desktop did not disappear. Not sure that this is significant OR that this will happen when I get there, but wanted you to know ahead of time.

We're having fun now :tazz:

Thanks,
DR04
  • 0

#79
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
In safe mode, on a 98-system, taskmanager doesn't show all the processes running. while in safe mode open Hijack this. then click on misc. tools button and taskkill explorer.exe via the taskmanager-option in hijackthis. It will show there.
  • 0

#80
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Roger all. Will try to set this up tonight and run it in the morning (may be working from home tomorrow).

Have a good one :tazz:
DR04
  • 0

#81
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Did as you requested. When I attempted to delete all the files in C:\WINDOWS\TEMP, the file ~DF80F.tmp could not be deleted. The error msg said that access was denied and to ensure that the disk was not full or write-protected. Downloaded and ran Hoster. Downloaded, loaded, and configured KAV (removed NAV in the process). Rebooted in safe mode, opened HJT and killed explorer.exe. Ran KAV.

There were 190 objects found and deleted. There were also a bunch of objects (to many to list) that were found, but the “Results” said that they were “password protected, has not been processed”. All seemed to have the below path beginning in common:

C:\WINDOWS\Application Data\Spybot – Search & Destroy\Recovery

Here’s a sample of the rest of the path and some filenames:

\DownloadWareSED51.zip\sbRecovery.reg
\DownloadWareSED51.zip\sbRecovery.ini
\eZulaHotText77.zip\sbRecovery.reg
\eZulaHotText77.zip\sbRecovery.ini
\Hitbox18.zip\sbRecovery.ini
\GAINGator2.zip\Gtools.dll
\GAINGator2.zip\CMESys.exe
\AvenueAInc1.zip\richard davidson@atdmt[2].txt

At least 30 to 40 more of things like this. Tried to create a copy of the report, but would not let me do that. Anyway, after running KAV, rebooted in normal mode. When my desktop came up, got an error window for RUNDLL. Said “Error loading C:\WINDOWS\SYSTEM\WINUP2DATE.DLL. The system cannot find the file specified.” Clicked OK. Once again, the C:\ folder popped up, so I closed it. However, I noticed that 2 files that KAV deleted, ZFicons.exe and InstallEx.exe were still there. Went to download and run ewido, but it said that it was developed for Windows 2000 and XP, so didn’t download or run. Let me know if I need to do that anyway.

OK, here’s the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:00 AM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [kavsvc] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

I see my old friend C:\WINDOWS\isrvs\mfiltis.dll is back in my registry (O18). So far, no internet pop-ups, but it’s early. Let me know what to do next.

DR04
  • 0

#82
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
hi DR04,

well hopefully we got this thing fixed. first to help us keep from losing this battle, I would like you to install a firewall program, one of the best is called Kerio, you can download the free edition of Kerio personal at

http://www.kerio.com/kpf_download.html

it will be the full paid version for 30 days then it goes to the free edition.

after that is done, please run hijack this and fix the following. Make sure all windows and browsers, including this one, are closed click on Fix checked.

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


after that, reboot to safe mode, making sure hidden files and folders are shown, find and delete the following:

C:\WINDOWS\isrvs

post a new log and let me know how things are going.
  • 0

#83
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Unlike Congress, ran the equivalent of something short of the 'nuclear option' as you instructed. Also installed the KERIO firewall. Had some problems booting up while not connected (had to connect to the internet before I could boot up without problems), but don't see ANY of the issues I was having before. The only issue I have is that I don't know whether to PERMIT or DENY a URL when KERIO asks me what to do (I'm not stupid, but a bunch of numbers separated by periods really don't mean much to me. Should I DENY everything or just roll the dice and figure it out as I go along (another firewall program I used to use desribed the threat in a little more detail)?

I know this may be a bit out of your area of expertise and I definitely won't hold you responsible for anything you might say, but I am curious as to how I'm supposed to sort thru the wheat and the chaff.

Bottom line, thanks for your help. So far, so good. I'll give it a few days and let you know how things are going. Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:28:04 PM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Let me know if I'm still screwed up :tazz: . Semper Fi,
DR04 (USMC, 83-04)
  • 0

#84
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
well as for teh permisions thats easy,

only numbers to allow is the following:

127.0.0.1 which is your local host on the machine.
if a website you are visiting shows teh numbers in the address bar of your internet explorer and you trust that site then allow it. any programs you start running that ask for permision set a rule by checking the little check box and permit.

Now for the good news ;)

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

I also recommend downloading IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...rce.htm#IESPYAD

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

Also see this for a little more information: So how did I get infected in the first place?


It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats.

Edited by Efwis, 27 April 2005 - 05:54 PM.

  • 0

#85
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
just doing a follow up before closing this topic. how isyour sytem working any problems?
  • 0

Advertisements


#86
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Was going great guns for a couple of days, but am having problems now. My machine is slow to respond to commands. When I press CTRL-ALT-DEL, the "Close Programs" window usually shows 'Msgsrv32 (not responding)'. If I try to end the task, my machine usually locks up. Often during reboot, it will not reboot (I get the 'Msgsrv32 (not responding)' error when I press CTRL-ALT-DEL then, too). Got it running in SAFE MODE, but that doesn't help.

Here's are my HJT and HJT start-up logs. Let me know what to do next:

Logfile of HijackThis v1.99.1
Scan saved at 7:15:59 PM, on 4/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

StartupList report, 4/30/05, 7:17:04 PM
StartupList version: 1.52.2
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
EnsoniqMixer = C:\WINDOWS\starter.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
CreateCD = C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NMSSvc = C:\WINDOWS\SYSTEM\NMSSVC.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
KPF4 = C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 29/4/2005, 6:48:54)

[rename]
C:\WINDOWS\SYSTEM\IoSubSys\SmartVSD.VxD=C:\WINDOWS\SYSTEM\SmartVSD.VxD

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File not found*

--------------------------------------------------

C:\CONFIG.SYS listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:


--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37978.6034375

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ITDETECTOR.OCX
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[GDIChk Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDICHK.DLL
CODEBASE = http://www.microsoft...DI/0/GDIChk.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://www.popcap.co...aploader_v6.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #5: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #6: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #9: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NWLink: nwlink.vxd
VSERVER: vserver.vxd
ASPIENUM: ASPIENUM.VXD
fwdrv: fwdrv.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,238 bytes
Report generated in 0.331 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#87
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
your logs are clean, so I did some research on your problem and this is what I found at Microsoft.

http://support.micro...om/?kbid=169987


SYMPTOMS
When your computer is idle for a period of time and then stops responding (hangs), the Close Program dialog box may report that Msgsrv32 is not responding.

CAUSE
This behavior can occur when power management is enabled, and you have issues with programs not responding correctly to power management commands, for example, screen saver programs.

RESOLUTION
To work around this behavior, use the following steps:
1. Quit any running programs, and then test to determine if a specific program is causing this behavior. If you quit all running programs and the issue is resolved, one of the programs that was running is the cause of this behavior. If this does not resolve the issue, continue to step 2.

NOTE: This issue is often caused by screen saver programs.
2. Disable power management. To do so, click Start, point to Settings, click Control Panel, and then double-click Power.
3. In the Power Management box, click Off (or click the "Allow windows to manage power on this computer" check box to clear it).
4. Click OK.
5. Restart your computer.
If the behavior continues to occur, follow these additional steps:
1. In Control Panel, double-click System.
2. On the Device Manager tab, double-click the System Devices branch to expand it.
3. Double-click Advanced Power Management Support.
4. On the Settings tab, click the Enable Power Management Support check box to clear it, and then click OK.
5. Click OK.
6. Restart your computer when you are prompted to do so.


APPLIES TO
• Microsoft Windows 95 Service Pack 1

Let me know what happens and I will see what else I can find.

Edited by Efwis, 30 April 2005 - 05:30 PM.

  • 0

#88
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Between soccer, yard work, and my son's English paper, I didn't get a chance to try doing what you said. However, I did go into Power Management from Control Panel and noticed that the pop-up window did not give me the options you described. I did not see an check box on either of the tabs in the window. When I went the other way (System - Devices), there was no 'Advanced Power Management Support' option. There was something called ACPI (can't remember what that stands for), so didn't do anything with that, either. I'll try to get you what I see, but I'm going out of this evening and not sure how much time I'll have before I depart (back late Thursday night). In other words, I won't be able to attempt any 'fixes' until Friday.

FYI, my PC works sometimes, but is VERY slow in reacting. My son told me that if he booted in SAFE MODE first, then rebooted in normal mode, it wouldn't lock and and give us the Msgsrv32 not responding error in the Close Programs window. I'm VERY close to reformatting just to be done with it. If I can get me CD drive working (getting a controller error and I don't know why), I'll back-up my files and let 'er rip. I plan on upgrading to XP home, too. Speaking of OS's, the instructions you provided said it was applicable to Win 95 SP1. I have Win98SE. Could that be why I'm seeing something different in the Power Management window?

By the way, I know I haven't changed my power management settings since I BOUGHT the PC a couple of years ago, so could this be related to all that junk we just cleared off?

I know that you are probably almost as frustrated by this developement as I am :mad: , but I appreciate you sticking with me. I'll see what I can do about giving you some better intel on what I'm seeing. In the meantime, have fun.

DR04
  • 0

#89
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
from what you are describing, first yes those tabs could be missing because of you being on 98se, although that would be odd to do reverse engineering on an upgraded system (i.e. going from 95 to 98.)

yes there is a possibility that the malware that we removed did corrupt your files. if thats the case, then you could try doing a bit of a repair with the CD for Win98. all you would have to do is locate msgsrv32 on the CD and then extract it to your hard drive in C:\Windows\System32 using your winzip program.
Let me know what happens after you do it.
  • 0

#90
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Just tried to extract the file - no joy. Here's what I see when I double-click on 'Power Management' in control panel:

Window with two tabs: "Power Schemes" & "Advanced"

Under "Power Schemes", my only option is a drop down box titled 'Power Schemes'. When I open the box, my three options are, "Home/Office Desk", "Portable/Laptop", and "Always On". I changed it to the first one, but it was originally "Always On". After selecting a scheme, your only choices are to 'Save As..." or "Delete".

Under "Advanced", the only option is a check-box that says "Always show icon on the taskbar." It is unchecked.

When I expand the "System Devices" tab in "Device Manager" after d-c'ing "System" in control panel, my options are (NOTE: This is in SAFE MODE. The options are different in normal mode, but I can't get into normal mode and don't remember the differences):

ACPI IRQ Holder for PCI IRQ Steering
ACPI IRQ Holder for PCI IRQ Steering
ACPI IRQ Holder for PCI IRQ Steering
ACPI IRQ Holder for PCI IRQ Steering
ACPI Power Button
ACPI System Button
ACPI BIOS
Composite Power Source
Direct memory access controller
IO read data port for ISA Plug and Play enumerator
Motherboard resources
Numeric data processor
Plug and Play Software Device Enumerator
Processor support
Programmable interrupt controller
SCI IRQ used by ACPI bus
System board
System board extension for ACPI BIOS
System CMOS/real time clock
System speaker
System timer
VIA Tech CPU to ACP Controller
VIA Tech Standard CPU to PCI Bridge
VIA Tech VT82C686 PCI to ISA bridge
VIA Tech VT82C686 Power Management Controller

Now, I can't even get into SAFE MODE by pressing F8 during boot up. I have to press and hold the CTRL key, then choose SAFE MODE.

HELP! :tazz:

DR04
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP