Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About blank...? [RESOLVED]


  • This topic is locked This topic is locked

#16
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
The file downloads as a self executing zip file. Each time I open it (even from desktop) it goes straight to the temp folder and doesn't give any time to change - it just goes right ahead. I've changed the file extension to .zip, and extracted it via winzip onto the desktop and it just dumps 70 or so files again. There are some DOS .exe files but none of them runs the program. Same in safe mode.
  • 0

Advertisements


#17
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, try this program instead:

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
  • 0

#18
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
That worked! Nothing found by Fixagent. AB and TDS logfile following. My AV program
found trojan startpage in the restore folder while TDS was running, but no mention in TDS.
Prompted to restart but let TDS carry on running.


Scanned at: 19:10:54 on: 13/05/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!


20:00:56 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
20:00:56 [Init] Started 17-05-05 20:00:56 GMT Standard Time (UTC: 0), Internet Time @833.98
20:00:56 [Init] Loading TDS-3 Systems ...
20:00:56 [Init] Token successfully adjusted.
20:00:56 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
20:00:57 [Init] • Plugins : OK. Loaded 13
20:00:57 [Init] • Exec Protection : Not Installed
20:00:57 [Init] WARNING: Your Radius.TD3 database needs to be updated!
20:00:57 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
20:00:57 [Init] Licensed users can use the Update facility from the TDS menu
20:00:57 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
20:01:04 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
20:01:04 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
20:01:04 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
20:01:09 [Init] TDS-3 Ready. <Default@0.0.0.0, 127.0.0.1 - uk>
20:01:09 [Tip Of The Day] Did you know? - TDS-1 was one of the very first anti-trojan systems ever built, and as such it has the most complete detection database. Because we've been here since the beginning, we've pioneered detection methods that are exclusive to TDS-3 and the Radius Advanced Scanning System.
20:01:09 [TDS] Good evening Default.
20:01:21 [Mutex Memory Scan] Started...
20:01:23 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:01:23 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
20:01:42 [CRC32] Started - verifying 29 files ...
20:01:43 [CRC32] File doesn't exist: C:\autoexec.bat
20:01:44 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
20:01:45 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
20:01:45 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
20:01:46 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
20:01:47 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
20:01:48 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
20:01:48 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
20:01:49 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
20:01:50 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
20:01:51 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
20:01:52 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
20:01:53 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
20:01:54 [CRC32] Test finished.
20:04:06 [Memory Scan] Memory scan started, please wait a moment ...
20:04:10 [Memory Scan] Memory scan complete.
20:04:10 [Mutex Memory Scan] Started...
20:04:11 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:04:11 [Trace Scan] Started...
20:04:37 [Trace Scan] Finished.
20:04:37 [Service\Driver Scan] Scanning for services and drivers ...
20:04:37 [Service\Driver Scan] Scanned 26 services and drivers.
20:04:37 [File Scan] Scanning in A:\ ...
20:04:38 [File Scan] Scanned 0 files: 0 alarms in 0.546875 seconds (Avg 1. files/sec)
20:04:38 [File Scan] Scanning in C:\ ...
20:37:30 [File Scan] Scanned 28873 files: 0 alarms in 1972.258 seconds (Avg 15.64 files/sec)
20:37:30 [File Scan] Scanning in D:\ ...
20:37:30 [File Scan] Scanned 0 files: 0 alarms in 0.046875 seconds (Avg 1. files/sec)
20:37:30 [File Scan] Scanning in E:\ ...
20:37:30 [File Scan] Scanned 0 files: 0 alarms in 0 seconds (Avg -1.#IND files/sec)
20:37:30 [Scan] Finished.
20:37:51 [Quit] Unloading ...


NB I did update the TDS despite the comment in the log?

Thanks
  • 0

#19
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is about:blank still the problem? Try running SpSeHjFix again in Safe Mode.

I don't like the looks of this especially on a Windows ME machine. It looks like you might be missing some system files (corrupted possibly by the infection). Take a look here and go down to the Windows ME section. I want you to use your Windows ME CD and try to copy these files back to your machine (the ones that say c:\windows\system...):

20:01:44 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
20:01:45 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
20:01:45 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
20:01:46 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
20:01:47 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
20:01:48 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
20:01:48 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
20:01:49 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
20:01:50 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
20:01:51 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
20:01:52 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
20:01:53 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
  • 0

#20
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
OK will try this. About balnk isn't a problem now but each time I log onto the net I still get hit by the startpager dr trojan. MaCafee dininfects this OK but it always gets in. Maybe I'm just unlucky?..or is there something still on my PC? I'll do this tonight and report back.

Thanks.
  • 0

#21
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hi,

I'm struggling with this. The files can't be found on the cd using the extract file box in msconfig. I've tried the startup disk method, then extracting from the cd but just get an error saying the files can't be copied.

SP/SE found nothing, and the trojan came right back tonight when I logged on.
  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I really don't like this. I have problems when users have this problem on a Windows ME machine because Windows ME doesn't have the system file checker feature. I'm not sure if those files are in a Windows ME machine, but they look like they should be.

Could you post a new topic in the Windows ME forum asking for help on extracting these files:

C:\WINDOWS\System\cmd.exe
C:\WINDOWS\System\netstat.exe
C:\WINDOWS\System\drwatson.exe
C:\WINDOWS\System\drwtsn32.exe
C:\WINDOWS\System\rundll32.exe
C:\WINDOWS\System\sysedit.exe
C:\WINDOWS\System\taskman.exe
C:\WINDOWS\System\taskmgr.exe
C:\WINDOWS\System\winlogon.exe
C:\WINDOWS\System\regedt32.exe
C:\WINDOWS\System\netmsg.dll
C:\WINDOWS\System\winsock.dll


Post back a followup on this if you can so that we can wrap things up.

This is not really a solution, but I have asked users to reinstall ME over itself before and I think that may solve the problem with those missing files. When you do the reinstall, make sure that you install it as an upgrade instead of a new install so that you will still have all your data intact. I suggest backing up either way, since there's not guarantee that errors won't occur.

So if you want, ask in the Windows ME section first and see what the helpers there have to suggest. If you find a solution that works, PM me on it so that I can better assist others with this problem in the future.
  • 0

#23
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Thanks will do. I'm on holiday for the next 10 days so will catch up on my return.
  • 0

#24
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hi,

Still have the startpage trojan, here is HJT log as of today.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 19:10:45, on 01/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCUPDATE.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE QUICKCLEAN\PLGUNI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MY DOWNLOADS\VIRUS SPYWARE FIXES SEE GEEKS TO GO WEB SITE\HJT REG FIX\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Boot into Safe Mode.

Run SpSeHjFix.exe again.

Restart and then run CWShredder.exe. Then run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Restart and post that log (in the same folder) for SpSeHjFix.

Is the Startpage trojan still detected now?
  • 0

Advertisements


#26
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
All done - SE log following. Didn't get the trojan when logging on this time but will keep you advised even if it doesn't reappear. Many thanks once again.



(6/4/05 08:41:41) SPSeHjFix started v1.09
(6/4/05 08:41:41) OS: WinME (4.90.73010104)
(6/4/05 08:41:41) Language: english
(6/4/05 08:41:46) Disinfect started
(6/4/05 08:41:46) Bad-Dll(IEP): (not found)
(6/4/05 08:41:46) Bad-Dll(IEP) in BHO: (not found)
(6/4/05 08:41:46) UBF: 4
(6/4/05 08:41:46) UBB: 0
(6/4/05 08:41:46) UBR: 38
(6/4/05 08:41:46) Bad IE-pages:
(6/4/05 08:41:46) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/4/05 08:41:46) File added to delete: c:\windows\faultllg.txt
(6/4/05 08:41:46) Reboot
(6/4/05 08:42:45) SPSeHjFix 2nd Step
(6/4/05 08:42:46) RunServicesOnce-Key: (alex)
(6/4/05 08:42:54) Cleaned
  • 0

#27
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since everything looks good now:

Your log is clean.

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#28
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
I spoke too soon....SP trojan reappeared on logon today. Have run SE fix again and same stealth file found. Log attached below - does this mean there is still something lurkin?

(6/5/05 16:36:00) SPSeHjFix started v1.09
(6/5/05 16:36:00) OS: WinME (4.90.73010104)
(6/5/05 16:36:00) Language: english
(6/5/05 16:36:02) Disinfect started
(6/5/05 16:36:02) Bad-Dll(IEP): (not found)
(6/5/05 16:36:02) Bad-Dll(IEP) in BHO: (not found)
(6/5/05 16:36:02) UBF: 4
(6/5/05 16:36:02) UBB: 0
(6/5/05 16:36:02) UBR: 37
(6/5/05 16:36:02) Bad IE-pages:
(6/5/05 16:36:02) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/5/05 16:36:02) File added to delete: c:\windows\faultllg.txt
(6/5/05 16:36:02) Reboot
(6/5/05 16:37:17) SPSeHjFix 2nd Step
(6/5/05 16:37:17) RunServicesOnce-Key: (alex)
(6/5/05 16:37:24) Cleaned
  • 0

#29
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is it still detected after you ran SpSeHjFix? If so, give me this log:

Download StartDreck http://www.greyknigh.../StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
  • 0

#30
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Yes, appeared again tonight on 1st logon. Here is StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-06-06 @ 20:44:39 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as default at 972HB0J

»Registry
»Run Keys
»Current User
»Run
*H/PC Connection Agent="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
*McAfee QuickClean Imonitor=C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
*MSKAGENTEXE=C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
»RunOnce
»Default User
»Run
*H/PC Connection Agent="C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
*McAfee QuickClean Imonitor=C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
*MSKAGENTEXE=C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
»RunOnce
»Local Machine
»Run
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb10.exe
*LTWinModem1=ltmsg.exe 9
*MULTIMEDIA KEYBOARD=C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
*NvColorInit=RUNDLL32.EXE NVQTWK.DLL,NvColorInit
*nwiz=nwiz.exe /install
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*SystemTray=SysTray.Exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AdaptecDirectCD="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
*AHQInit=C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
*CreateCD50="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
*DIAGENT=C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*Hidserv=Hidserv.exe run
*VSOCheckTask="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
*VirusScan Online="C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
*MCAgentExe=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
*MPSExe=C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
*MSKServerExe=C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
*MSKAGENTEXE=C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
*MSKDetectorExe=C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
*MPFExe=C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
*devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*McVsRte=C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**ps=rundll32 C:\WINDOWS\FAULTLLG.TXT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Setup - Applets/AppletsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - FAT32 Converter/PerUser_CVT_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf
+Windows Setup - Fonts/FontsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
+Windows Setup - Home Networking Wizard/PerUser_HNW_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf
+PerUser_ICW_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Windows Movie Maker/PerUser_moviemaker
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf
+MSN-Migration/>PerUser_MSN_Clean
*StubPath=C:\WINDOWS\msnmgsr1.exe
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
+Windows Setup - System Information/PerUser_Msinfo
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - System Information/PerUser_Msinfo2
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - Multimedia/MotownMmsysPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownAvivideoPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Messaging/PerUser_Base
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
+CDSAMPLE/SamplerPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf
+Windows Setup - Shell/ShellPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
+Windows Setup - Color Schemes/Shell2PerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
+Windows Setup - Start Menu/PerUser_winbase_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Start Menu/PerUser_winapps_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Links Bar/PerUser_LinkBar_URLs
*StubPath=C:\WINDOWS\COMMAND\sulfnbk.exe /L
+Windows Setup - Telephony Support/TapiPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
+Windows Setup - Wordpad/PerUser_MSWordPad_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
+Windows Setup - More Applets/PerUserOldLinks
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Sound Schemes/MmoptRegisterPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - CD Player/PerUser_CDPlayer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Online Services/OlsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - The Microsoft Network/OlsMsnPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
+System Restore/PerUser_PCHealth
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Windows Setup - Paint/PerUser_Paint_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Calculator/PerUser_Calc_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - DriveSpace/PerUser_dxxspace_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\WINDOWS\INF\applets1.inf
+Windows Setup - Accessibility/PerUser_Enable_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf
+Windows Setup - Classic Games/PerUser_Wingames_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf
+Windows Setup - Internet Games/PerUser_ZoneGame_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf
+Windows Setup - Plus! Games/PerUser_PBGame_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf
+MSN Messenger Service 2.2/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Windows Setup - Multimedia/MotownRecPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Volume Control/PerUser_Vol
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownMPlayPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Dial-Up Networking/PerUser_RNA_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
+Windows Setup - System Monitor/PerUser_Sysmon_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - System Meter/PerUser_Sysmeter_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Netwatch/PerUser_netwatch_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Character Map/PerUser_CharMap_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - HyperTerminal/PerUser_Onlinelnks_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Phone Dialer/PerUser_Dialer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Clipboard Viewer/PerUser_ClipBrd_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\WINDOWS\INF\clip.inf
+Windows Setup - Sound Schemes/MmoptMusicaPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Sound Schemes/MmoptJunglePerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Sound Schemes/MmoptRobotzPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Sound Schemes/MmoptUtopiaPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\WINDOWS\INF\mmopt.inf
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
+Microsoft Outlook Express 5/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
+Windows Setup - America Online/OlsAolPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - AT&T WorldNet Service/OlsAttPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Prodigy Internet/OlsProdigyPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Earthlink Internet/OlsEarthlinkPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Shell Cursors/Shell3PerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf
+Windows Setup -- Themes/Theme_MoreWindows_PerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf
+Windows Setup - Preptool/PerUser_Preptool
*StubPath=rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF
+DUN - RNA/^RNA
*StubPath=rundll rnasetup.dll,installoptionalcomponent rna
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+Web Publishing Wizard/{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub
+Windows Setup - Direct Cable Connection/PerUser_DCC_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf
+Internet Explorer 5/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=C:\WINDOWS\SYSTEM\ie4uinit.exe
+>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
»Internet Explorer
»Current User
*Default_Search_URL=http://ie.search.msn.com
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=http://www.google.com
*Window Title=Microsoft Internet Explorer provided by Virgin.net
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
»Default User
*Default_Search_URL=http://ie.search.msn.com
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=http://www.google.com
*Window Title=Microsoft Internet Explorer provided by Virgin.net
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
»Local Machine
*Default_Page_URL=http://www.google.com
*Default_Search_URL=http://www.google.com
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=http://www.google.com
*Window Title=Microsoft Internet Explorer provided by Virgin.net
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\SYSTEM\UPNPUI.DLL
*AUHook={BCBCD383-3E06-11D3-91A9-00C04F68105C}
`InprocServer32=C:\WINDOWS\SYSTEM\AUHOOK.DLL
»Special NT Values
»Current User
*Load=
*Run=
*Programs=
*SHELL=
»Default User
*Load=
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\OSA9.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\OSA9.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=0
`BootGUI=1
`DoubleBuffer=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`UninstallDir=C:\
`[Options]
`BootMulti=0
`BootGUI=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
`AutoScan=1
`WinVer=4.90.3000
*C:\config.sys
*C:\autoexec.bat
`SET windir=C:\WINDOWS
`SET winbootdir=C:\WINDOWS
`SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
`SET PROMPT=$p$g
`SET TMP=C:\WINDOWS\TEMP
`SET TVDUMPFLAGS=10
*C:\WINDOWS\wininit.ini
`[Rename]
`nul=C:\WINDOWS\TEMP\mcuA1B2.TMP\mskf.cfu
*C:\WINDOWS\wininit.bak
`[rename]
`NUL=c:\WINDOWS\JPnjqantxgNw
`NUL=C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
`NUL=C:\WINDOWS\HISTORY\HISTORY.IE5\MSHIST~1\INDEX.DAT
`NUL=C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.DAT
*C:\WINDOWS\winstart.bat
`@C:\WINDOWS\tmpcpyis.bat
*C:\WINDOWS\dosstart.bat
`@echo off
`LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE
*C:\WINDOWS\command\cmdinit.bat
`@echo off
`doskey /insert > nul
*C:\WINDOWS\hosts
`64.91.255.87 www.dcsresearch.com
»Program Files
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\command.PIF
*C:\WINDOWS\COMMAND.PIF
*C:\WINDOWS\COMMAND.COM
+C:\CHOICE.COM
*C:\WINDOWS\COMMAND\CHOICE.COM
»System/Drivers
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*biosxlat.vxd=
*combuff.vxd=
*configmg.vxd=
*dosmgr.vxd=
*dynapage.vxd=
*ebios.vxd=
*ifsmgr.vxd=
*int13.vxd=
*ios.vxd=
*mtrr.vxd=
*ntkern.vxd=
*pageswap.vxd=
*parity.vxd=
*perf.vxd=
*reboot.vxd=
*shell.vxd=
*spooler.vxd=
*udf.vxd=
*v86mmgr.vxd=
*vcache.vxd=
*vcd.vxd=
*vcdfsd.vxd=
*vcomm.vxd=
*vcond.vxd=
*vdef.vxd=
*vdmad.vxd=
*vfat.vxd=
*vfbackup.vxd=
*vkd.vxd=
*vmcpd.vxd=
*vmouse.vxd=
*vmpoll.vxd=
*vpd.vxd=
*vpicd.vxd=
*vpowerd.vxd=
*vsd.vxd=
*vtd.vxd=
*vtdapi.vxd=
*vwin32.vxd=
*vxdldr.vxd=
*vxdmon.vxd=
*enable.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\windrvr.vxd
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\VMM.VXD
*C:\WINDOWS\SYSTEM\VMM32\MRCI2.VXD
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVSPACX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\AIC78XX.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\Cdudfrw.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\UdfReadr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\cdr4vsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Acbhlpr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Cdudf.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Cdrpwd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\CDRALVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\USBMPHLP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\DRVWCDB.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVWPPQT.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DRVWQ117.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP