Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan horse collected 5.L [RESOLVED]

Started by willyg , Oct 10 2005 06:24 AM

  • This topic is locked This topic is locked

#1
willyg
Posted 10 October 2005 - 06:24 AM

willyg

    Member

  • Member
  • PipPip
  • 33 posts
Well, it seems that my son picked this up from an AIM message. The AVG boot-up scanner recognized the msdirect.sys file. However, even though AVG deletes the file, it returns after the PC is rebooted. I also ran Ad-Aware which cleans some registry entries but the same ones also reappear. Right now, I can only boot into safe mode. When I try to do a 'full' reboot, a pop up appears saying that some process (explorer, msoffice, webshots, etc.) has performed an illegal operation. The PC then hangs so that not even alt-ctrl-del works, and I have to turn off the power. I've run the AVG and Ad-Aware scans from safe mode with the same results. My HJT log (from safe mode) is below. Any guidance will be GREATLY appreciated. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:01 PM, on 10/09/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.att.com:8000;ftp=proxy.att.com:8000;https=proxy.att.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *att.com
O1 - Hosts: 135.37.9.18 as10
O1 - Hosts: 135.164.224.1 brouter
O1 - Hosts: 135.164.228.5 kpuxf
O1 - Hosts: 135.164.224.72 sasha
O1 - Hosts: 135.91.21.106 devcats devcats.jazz.att.com
O1 - Hosts: 135.91.21.110 catsweb
O1 - Hosts: 135.164.224.186 twister
O1 - Hosts: 135.147.103.248 inscatl
O1 - Hosts: 135.147.195.237 inscwp
O1 - Hosts: 135.91.21.107 kp2web
O1 - Hosts: 135.164.239.249 ptr01
O1 - Hosts: 135.37.9.18 as10 as10.its.att.com
O1 - Hosts: 135.38.244.3 ks10 ks10.its.att.com
O1 - Hosts: 135.71.27.39 attrh.att.com
O1 - Hosts: 135.164.224.25 kpuxc
O1 - Hosts: 135.194.4.25 griffin
O1 - Hosts: 135.91.21.100 inisdb
O1 - Hosts: 135.58.25.16 kciprs1
O1 - Hosts: 135.58.25.19 kciprs2
O1 - Hosts: 135.164.224.213 hp3si
O1 - Hosts: 135.33.44.241 hp3siwp
O1 - Hosts: 135.164.224.215 hp5m
O1 - Hosts: 135.91.21.108 ptsdev
O1 - Hosts: 135.91.21.109 ftsweb
O1 - Hosts: 135.36.232.1 atlcms1a
O1 - Hosts: 135.36.232.1 atlcms1
O1 - Hosts: 135.36.80.3 itamac
O1 - Hosts: 135.164.224.1 brouter
O1 - Hosts: 135.164.224.22 rip
O1 - Hosts: 135.164.224.24 ripjr
O1 - Hosts: 135.16.191.37 fraudhp
O1 - Hosts: 135.164.217.232 fraudhp2
O1 - Hosts: 135.37.46.195 sots msa1
O1 - Hosts: 135.164.73.10 brouter73
O1 - Hosts: 135.164.224.75 odie
O1 - Hosts: 135.164.224.73 solo
O1 - Hosts: 135.164.224.74 shogun
O1 - Hosts: 135.16.42.30 gsun
O1 - Hosts: 135.16.83.1 esun
O1 - Hosts: 135.16.68.2 gnet8
O1 - Hosts: 135.16.68.5 gnet4
O1 - Hosts: 135.16.68.7 gnet5
O1 - Hosts: 135.16.68.15 gnet9
O1 - Hosts: 135.91.45.10 trumpet
O1 - Hosts: 135.38.88.1 mvskc
O1 - Hosts: 135.52.11.3 attbrz01
O1 - Hosts: 135.68.25.2 projsun1
O1 - Hosts: 135.37.143.8 ah60
O1 - Hosts: 135.37.100.17 mh60
O1 - Hosts: 135.7.1.17 att
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: WinStat - {EE02B99B-1D55-48bc-B8DB-649A42CE45F6} - C:\WINDOWS\SYSTEM\WINSTAT12.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NEWTEXE] C:\NETMANAG.95\NEWT32.EXE -r
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [alw] C:\WINDOWS\SYSTEM\alw.exe
O4 - HKLM\..\Run: [strtas] LOCK1.EXE
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\ETB\POKAPOKA73.EXE
O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [strtas] LOCK1.EXE
O4 - HKCU\..\Run: [strtas] LOCK1.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0

Advertisements

#2
Trevuren
Posted 10 October 2005 - 12:32 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi willyg and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1.Please download AIMFix from HERE

2. Run the program

3. REBOOT your system

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#3
willyg
Posted 10 October 2005 - 06:49 PM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Trevuren and thanks for the quick response.
I downloaded and ran aimfix98 as you requested and have included the log file below. It suggested I run it again in safe mode because LOCK1.exe couldn't be quarantined, but nothing new appeared in the log from that run. I then rebooted and ran hijackthis to produce the log I've pasted after the one from aimfix.
It seems that everything is back to normal, but I still receive an error msg on boot up "error loading aunps2.dll" that I believe is a leftover from a virus that AVG 'healed' a while back. I did notice a reference to aunps2 in the hijackthis log.

Thanks,
Bill

1.3.831.2037


First, closing any running copies of AOL Instant Messenger (aim.exe):

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\strtas" removed
Registry key "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\strtas" removed
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\strtas" removed
Process C:\WINDOWS\SYSTEM\LOCK1.EXE found
Process C:\WINDOWS\SYSTEM\LOCK1.EXE killed
C:\WINDOWS\System\LOCK1.EXE could not be quarantined
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdtl" removed
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System service75" removed
Process C:\WINDOWS\ETB\POKAPOKA75.EXE found
Process C:\WINDOWS\ETB\POKAPOKA75.EXE killed
C:\WINDOWS\ETB\POKAPOKA75.EXE quarantined
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScanRegistry" removed

***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

1.3.831.2037


First, closing any running copies of AOL Instant Messenger (aim.exe):

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***


***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:31:18 PM, on 10/10/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NETMANAG.95\NEWT32.EXE
C:\WINDOWS\SNMP.EXE
C:\DMI\BIN\WIN32SL.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\PRINTKEY20.EXE
C:\DMI\BIN\DELLDMI.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DMI\BIN\MONITOR.EXE
C:\DMI\BIN\NIC.EXE
C:\DMI\BIN\DNAR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search101online.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.att.com:8000;ftp=proxy.att.com:8000;https=proxy.att.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *att.com
O1 - Hosts: 135.37.9.18 as10
O1 - Hosts: 135.164.224.1 brouter
O1 - Hosts: 135.164.228.5 kpuxf
O1 - Hosts: 135.164.224.72 sasha
O1 - Hosts: 135.91.21.106 devcats devcats.jazz.att.com
O1 - Hosts: 135.91.21.110 catsweb
O1 - Hosts: 135.164.224.186 twister
O1 - Hosts: 135.147.103.248 inscatl
O1 - Hosts: 135.147.195.237 inscwp
O1 - Hosts: 135.91.21.107 kp2web
O1 - Hosts: 135.164.239.249 ptr01
O1 - Hosts: 135.37.9.18 as10 as10.its.att.com
O1 - Hosts: 135.38.244.3 ks10 ks10.its.att.com
O1 - Hosts: 135.71.27.39 attrh.att.com
O1 - Hosts: 135.164.224.25 kpuxc
O1 - Hosts: 135.194.4.25 griffin
O1 - Hosts: 135.91.21.100 inisdb
O1 - Hosts: 135.58.25.16 kciprs1
O1 - Hosts: 135.58.25.19 kciprs2
O1 - Hosts: 135.164.224.213 hp3si
O1 - Hosts: 135.33.44.241 hp3siwp
O1 - Hosts: 135.164.224.215 hp5m
O1 - Hosts: 135.91.21.108 ptsdev
O1 - Hosts: 135.91.21.109 ftsweb
O1 - Hosts: 135.36.232.1 atlcms1a
O1 - Hosts: 135.36.232.1 atlcms1
O1 - Hosts: 135.36.80.3 itamac
O1 - Hosts: 135.164.224.1 brouter
O1 - Hosts: 135.164.224.22 rip
O1 - Hosts: 135.164.224.24 ripjr
O1 - Hosts: 135.16.191.37 fraudhp
O1 - Hosts: 135.164.217.232 fraudhp2
O1 - Hosts: 135.37.46.195 sots msa1
O1 - Hosts: 135.164.73.10 brouter73
O1 - Hosts: 135.164.224.75 odie
O1 - Hosts: 135.164.224.73 solo
O1 - Hosts: 135.164.224.74 shogun
O1 - Hosts: 135.16.42.30 gsun
O1 - Hosts: 135.16.83.1 esun
O1 - Hosts: 135.16.68.2 gnet8
O1 - Hosts: 135.16.68.5 gnet4
O1 - Hosts: 135.16.68.7 gnet5
O1 - Hosts: 135.16.68.15 gnet9
O1 - Hosts: 135.91.45.10 trumpet
O1 - Hosts: 135.38.88.1 mvskc
O1 - Hosts: 135.52.11.3 attbrz01
O1 - Hosts: 135.68.25.2 projsun1
O1 - Hosts: 135.37.143.8 ah60
O1 - Hosts: 135.37.100.17 mh60
O1 - Hosts: 135.7.1.17 att
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NEWTEXE] C:\NETMANAG.95\NEWT32.EXE -r
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [alw] C:\WINDOWS\SYSTEM\alw.exe
O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0

#4
Trevuren
Posted 10 October 2005 - 07:15 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.
  • Download Ad-Aware SE Personal 1.06:
  • Install Ad-Aware SE Personal 1.06:
    • Double-click on aawsepersonal.exe to install the program.
    • Follow the default settings for installation.
    • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
  • Update Ad-Aware SE Personal 1.06:
    • Double-click the Ad-Aware SE Personal icon on your desktop.
    • Click "Check for updates now" then click "Connect".
    • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
  • Configure Ad-Aware SE Personal 1.06:
    • Click on the Gear button at the top of the window.
    • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
    • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Scan within archives"
      • "Select drives & folders to scan" - select your hard drive(s).
      • "Scan active processes"
      • "Scan registry"
      • "Deep-scan registry"
      • "Scan my IE favorites for banned URLs"
      • "Scan my Hosts file"
    • Click "Advanced" on the left hand side to display the Advanced Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Move deleted files to Recycle Bin"
      • "Include additional object information"
      • "Include negligible objects information"
      • "Include environment information"
    • Click "Defaults" on the left hand side to display the Default Settings box.
      • Make sure these items have your preferred settings in them.:
      • "Default homepage"
      • "Default searchpage"
    • Click "Tweak" on the left hand side to display the Tweak Settings box.
      • Click the + (plus) sign next to the Log Files section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Include basic Ad-Aware settings in log file"
        • "Include additional Ad-Aware settings in log file"
        • "Include reference summary in log file"
        • "Include alternate data stream details in log file"
      • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Unload recognized processes & modules during scan"
        • "Scan registry for all users instead of current user only"
        • "Obtain command line of scanned processes"
      • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Always try to unload modules before deletion"
        • "During removal, unload Explorer and IE if necessary"
        • "Let Windows remove files in use at next reboot"
        • "Delete quarantined objects after restoring"
    • Once you are done with these settings, click "Proceed" to save them.
    • This will take you back to the main screen.
  • Run Ad-Aware SE Personal 1.06:
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
2. REBOOT your system

3. Post a fresh Hjt log


Regards,

Trevuren
  • 0

#5
willyg
Posted 11 October 2005 - 11:32 AM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Trevuren,
Should I 'uninstall' my current ad-aware personal before following your instructions? :tazz:

Thanks,
Bill
  • 0

#6
Trevuren
Posted 11 October 2005 - 07:23 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Sorry for the delayed reply. I answered this post earlier today but we are currently experiencing server problems and It didn't get posted.

The answer is use the version I recommended. That would require an uninstall of what you have.

Regards,

Trevuren
  • 0

#7
willyg
Posted 12 October 2005 - 04:59 PM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Trevuren,
I followed your directions to install and run the version of ad-aware you specified. I then rebooted and produced a new HJT log which is below. While ad-aware was running, AVG popped up a window that a virus was detected, and it kept popping up every few seconds after I clicked 'heal' each time. The msg displayed was "Trojan Horse Downloader Agent.ADH detected trying to open windows/temp/aawtmp/c13589107/13661716r " :tazz:

Regards,
Bill

Logfile of HijackThis v1.99.1
Scan saved at 6:46:50 PM, on 10/12/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\NETMANAG.95\NEWT32.EXE
C:\WINDOWS\SNMP.EXE
C:\DMI\BIN\WIN32SL.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DMI\BIN\DELLDMI.EXE
C:\DMI\BIN\MONITOR.EXE
C:\DMI\BIN\NIC.EXE
C:\DMI\BIN\DNAR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search101online.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.att.com:8000;ftp=proxy.att.com:8000;https=proxy.att.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *att.com
O1 - Hosts: 135.37.9.18 as10
O1 - Hosts: 135.164.224.1 brouter
O1 - Hosts: 135.164.228.5 kpuxf
O1 - Hosts: 135.164.224.72 sasha
O1 - Hosts: 135.91.21.106 devcats devcats.jazz.att.com
O1 - Hosts: 135.91.21.110 catsweb
O1 - Hosts: 135.164.224.186 twister
O1 - Hosts: 135.147.103.248 inscatl
O1 - Hosts: 135.147.195.237 inscwp
O1 - Hosts: 135.91.21.107 kp2web
O1 - Hosts: 135.164.239.249 ptr01
O1 - Hosts: 135.37.9.18 as10 as10.its.att.com
O1 - Hosts: 135.38.244.3 ks10 ks10.its.att.com
O1 - Hosts: 135.71.27.39 attrh.att.com
O1 - Hosts: 135.164.224.25 kpuxc
O1 - Hosts: 135.194.4.25 griffin
O1 - Hosts: 135.91.21.100 inisdb
O1 - Hosts: 135.58.25.16 kciprs1
O1 - Hosts: 135.58.25.19 kciprs2
O1 - Hosts: 135.164.224.213 hp3si
O1 - Hosts: 135.33.44.241 hp3siwp
O1 - Hosts: 135.164.224.215 hp5m
O1 - Hosts: 135.91.21.108 ptsdev
O1 - Hosts: 135.91.21.109 ftsweb
O1 - Hosts: 135.36.232.1 atlcms1a
O1 - Hosts: 135.36.232.1 atlcms1
O1 - Hosts: 135.36.80.3 itamac
O1 - Hosts: 135.164.224.1 brouter
O1 - Hosts: 135.164.224.22 rip
O1 - Hosts: 135.164.224.24 ripjr
O1 - Hosts: 135.16.191.37 fraudhp
O1 - Hosts: 135.164.217.232 fraudhp2
O1 - Hosts: 135.37.46.195 sots msa1
O1 - Hosts: 135.164.73.10 brouter73
O1 - Hosts: 135.164.224.75 odie
O1 - Hosts: 135.164.224.73 solo
O1 - Hosts: 135.164.224.74 shogun
O1 - Hosts: 135.16.42.30 gsun
O1 - Hosts: 135.16.83.1 esun
O1 - Hosts: 135.16.68.2 gnet8
O1 - Hosts: 135.16.68.5 gnet4
O1 - Hosts: 135.16.68.7 gnet5
O1 - Hosts: 135.16.68.15 gnet9
O1 - Hosts: 135.91.45.10 trumpet
O1 - Hosts: 135.38.88.1 mvskc
O1 - Hosts: 135.52.11.3 attbrz01
O1 - Hosts: 135.68.25.2 projsun1
O1 - Hosts: 135.37.143.8 ah60
O1 - Hosts: 135.37.100.17 mh60
O1 - Hosts: 135.7.1.17 att
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NEWTEXE] C:\NETMANAG.95\NEWT32.EXE -r
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [alw] C:\WINDOWS\SYSTEM\alw.exe
O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0

#8
Trevuren
Posted 12 October 2005 - 05:20 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. . Download the following program HOSTER.
  • Unzip and run the program.
  • You will be presented with a screen where you will find the following option:Restore Microsoft Original Hosts.
  • Press it and Close the program.
  • Reboot your system.

2. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

We need to make sure all hidden files are showing so please:
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.search101online.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search101online.com/sp2.php
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O4 - HKLM\..\Run: [NEWTEXE] C:\NETMANAG.95\NEWT32.EXE -r
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [alw] C:\WINDOWS\SYSTEM\alw.exe
O4 - HKLM\..\RunServices: [Win32SL] C:\DMI\BIN\Win32sl.EXE -i
O15 - Trusted Zone: http://www.neededware.com



Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to Start To Safe Mode Using the F8 method in Windows 98/98SE/ME

To start your computer in Safe Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
*Choose Safe mode from the startup menu,
*press Enter
*Windows starts in Safe mode.
*Restart your computer when finished troubleshooting


Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):

C:\NETMANAG.95
C:\WINDOWS\CFGMGR51.DLL
AUNPS2.DLL<==You will have to Search for this one
C:\WINDOWS\CFGMGR51.DLL
C:\WINDOWS\SYSTEM\alw.exe
C:\DMI\BIN\Win32sl.EXE

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0

#9
willyg
Posted 12 October 2005 - 07:19 PM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Trevuren,
EXCELLENT directions!! :tazz:
I followed everything and produced the new HJT log below. During the delete step in windows explorer, only the netmanag.95 folder and the win32sl.exe were found and deleted. There is still some adjustment I need to make since on reboot the following msg popped up; "unable to load dynamic link library nfsnp.dll , netmanage nfs network not available". This makes sense since I just removed the netmanage.95 directory, but I guess there is an entry somewhere that is still trying to start it up.

Regards,
Bill

Logfile of HijackThis v1.99.1
Scan saved at 9:10:57 PM, on 10/12/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SNMP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DMI\BIN\DNAR.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.att.com:8000;ftp=proxy.att.com:8000;https=proxy.att.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *att.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0

#10
Trevuren
Posted 13 October 2005 - 10:27 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Excellent Deduction: :tazz:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This is an imposed restriction on access to your Control Panel Setting. If you didn't set it or if you no longer want it there, just include it among the HJT entries to be fixed that you will find below.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

We need to make sure all hidden files are showing so please:
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

O4 - HKLM\..\RunServices: [SNMP agent] SNMP.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to Start To Safe Mode Using the F8 method in Windows 98/98SE/ME

To start your computer in Safe Mode:
*turn the computer on
*as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
*Choose Safe mode from the startup menu,
*press Enter
*Windows starts in Safe mode.
*Restart your computer when finished troubleshooting


Using Windows Explorer, locate the following files/folders (with all their content), and DELETE them (if they are present):

C:\WINDOWS\SNMP.EXE

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0

Advertisements

#11
willyg
Posted 13 October 2005 - 07:16 PM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Trevuren,
I followed your instructions to remove the 3 entries in the HJT log and to delete the snmp.exe (there was also a snmpapi.dll file which I left alone?). But, when I rebooted back to normal mode I received the same error pop up about nfsnp.dll not being loaded. Otherwise, things look OK.

Thanks,
Bill

Logfile of HijackThis v1.99.1
Scan saved at 9:08:42 PM, on 10/13/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DMI\BIN\DNAR.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.att.com:8000;ftp=proxy.att.com:8000;https=proxy.att.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *att.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0

#12
Trevuren
Posted 13 October 2005 - 07:20 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download "Registry Search Tool" (RegSrch.vbs) from HERE

2. Start it and paste in nfsnp.

3. Wait for it to complete the search, click ok at the prompt.

4. Then when wordpad opens, copy the text as a reply into this thread.

Regards,

Trevuren
  • 0

#13
willyg
Posted 14 October 2005 - 05:29 PM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Trevuren,
Neat tool, I guess it does a 'find' in regedit? How do you find (& know to trust) this stuff?

Thanks,
Bill

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "nfsnp" 10/14/2005 7:23:54 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\NetManage\Applications\NETMNC95.INF\NFSNP.DLL]

[HKEY_LOCAL_MACHINE\Software\NetManage\Applications\NFSCFG.EXE\NFSNP.DLL]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NMNfsClient\NetworkProvider]
"ProviderPath"="nfsnp.dll"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\PwdProvider\NMNfsClient]
"ProviderPath"="nfsnp.dll"
  • 0

#14
Trevuren
Posted 14 October 2005 - 07:14 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
These "Tools" are developed by dedicated and highly knowledgeble people who love to beat the bad guy. These are tried and tested over and over before I get my hands on them.


1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop.

If a restore of the registry is required in case of emergency, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successfull.

2. Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg.

REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\NetManage\Applications\NETMNC95.INF\NFSNP.DLL]

[-HKEY_LOCAL_MACHINE\Software\NetManage\Applications\NFSCFG.EXE\NFSNP.DLL]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NMNfsClient\NetworkProvider]
"ProviderPath"=-

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\PwdProvider\NMNfsClient]
"ProviderPath"=-


3. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

4. Reboot your computer.

3. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren
  • 0

#15
willyg
Posted 16 October 2005 - 05:00 PM

willyg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Hi Trevuren,
Followed your instructions to fix the registry, rebooted (no more error msg about nfsnp :tazz: ), and produced the new HJT log below. It certainly looks like the old PC is healthy again.

Bill

Logfile of HijackThis v1.99.1
Scan saved at 6:46:52 PM, on 10/16/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\DMI\BIN\DNAR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nationalgeographic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.att.com:8000;ftp=proxy.att.com:8000;https=proxy.att.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *att.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DMILDR] C:\DMI\bin\dmildr.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP