Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

GENERALLY SCREWED UP

Started by DR04 , Mar 06 2005 08:31 PM

  • Please log in to reply

#61
DR04
Posted 21 April 2005 - 05:55 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Can do, but will have to wait until tonight (that work thing again). Unless you say differently, I'll remain connected to the internet while run the applications, too.

Have a great day :tazz: ,
DR04
  • 0

Advertisements

#62
Dragon
Posted 21 April 2005 - 05:58 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
you can stay hooked up. sorry I didn't reply lastnight, was out until late. I understand the work thing, I do that from home
  • 0

#63
DR04
Posted 22 April 2005 - 05:14 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Still just close. Downloaded and ran refix2. After rebooting and before I could run HJT, the Win98se folder popped up on my desktop. Closed that and ran the HJT options you instructed. While running FindIt, got three (3) pop-up windows:

1. http://64.192.131.14...7upV2?query=ron
2. loadingwebsite.com
3. adopt.hotbar.com
4. http://www.loadingwe...rmal/yyy23.html (this came up while writing this log entry)
5. Miami Real-Estate (this came up while writing this log entry - full screen with no address bar at the top)

Anyway, here are the HJT and FindIt logs you requested:

StartupList report, 4/22/05, 6:32:28 AM
StartupList version: 1.52.2
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
EnsoniqMixer = C:\WINDOWS\starter.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
vptray = C:\PROGRA~1\NORTON~1\vptray.exe
CreateCD = C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NMSSvc = C:\WINDOWS\SYSTEM\NMSSVC.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
rtvscn95 = C:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch = C:\PROGRA~1\NORTON~1\defwatch.exe
SchedulingAgent = mstask.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[e2f574c0-746b-11d9-87f4-00a0c9e4fda2] *
StubPath = C:\WINDOWS\rdxrncm.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 22/4/2005, 6:29:30)

[rename]
NUL=C:\WINDOWS\SYSTEM\BVWEBINS.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File not found*

--------------------------------------------------

C:\CONFIG.SYS listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:


--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37978.6034375

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ITDETECTOR.OCX
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[GDIChk Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDICHK.DLL
CODEBASE = http://www.microsoft...DI/0/GDIChk.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://www.popcap.co...aploader_v6.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #5: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #6: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #9: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NWLink: nwlink.vxd
VSERVER: vserver.vxd
ASPIENUM: ASPIENUM.VXD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,271 bytes
Report generated in 0.295 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
***********************************************

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

VW4EN16 DLL 227,104 03-16-05 7:06a VW4EN16.DLL
OSETHK32 DLL 227,104 03-16-05 7:06a OSETHK32.DLL
VHR DLL 227,104 03-16-05 7:06a VHR.DLL
OJFIL400 DLL 227,104 03-16-05 7:06a OJFIL400.DLL
DGCPROP DLL 227,104 03-16-05 7:06a DGCPROP.DLL
IDM32 DLL 227,104 03-16-05 7:06a IDM32.DLL
OUECNV32 DLL 227,104 03-16-05 7:06a OUECNV32.DLL
JRAW400 DLL 227,104 03-16-05 7:06a jraw400.dll
MUMP3WAV DLL 227,104 03-16-05 7:06a mump3wav.dll
UHP10 DLL 227,104 03-16-05 7:06a uhp10.dll
MLJETO~1 DLL 227,104 03-16-05 7:06a mljetoledb40.dll
VBHELPER DLL 227,104 03-16-05 7:06a VBHELPER.DLL
WOICORE DLL 227,104 03-16-05 7:06a WOICORE.DLL
CPTDLL DLL 227,104 03-16-05 7:06a CPTDLL.DLL
PSBDLG DLL 227,104 03-16-05 7:06a PSBDLG.DLL
FISRCH DLL 227,104 03-16-05 7:06a FISRCH.DLL
ID50_QC DLL 227,104 03-16-05 7:06a Id50_qc.dll
TND32 DLL 227,104 03-16-05 7:06a TND32.DLL
SDLWOA DLL 227,104 03-16-05 7:06a SDLWOA.DLL
MXCPXL32 DLL 227,104 03-16-05 7:06a MXCPXL32.DLL
MZACM DLL 227,104 03-16-05 7:06a MZACM.DLL
MQC42ENU DLL 227,104 03-16-05 7:06a MQC42ENU.DLL
RVAUI DLL 227,104 03-16-05 7:06a RVAUI.DLL
MWAFD DLL 227,104 03-16-05 7:06a MWAFD.DLL
MZCRLREV DLL 227,104 03-16-05 7:06a mzcrlrev.dll
VGR DLL 227,104 03-16-05 7:06a VGR.DLL
NIS DLL 227,104 03-16-05 7:06a NIS.DLL
SKSCRAP DLL 227,104 03-16-05 7:06a SKSCRAP.DLL
SCLSTR DLL 227,104 03-16-05 7:06a SCLSTR.DLL
TED32 DLL 227,104 03-16-05 7:06a TED32.DLL
SREM0409 DLL 227,104 03-16-05 7:06a SREM0409.DLL
NOS DLL 227,104 03-16-05 7:06a NOS.DLL
MHSTDFMT DLL 227,104 03-16-05 7:06a MHSTDFMT.DLL
SHSTHUNK DLL 227,104 03-16-05 7:06a SHSTHUNK.DLL
MFYUV DLL 227,104 03-16-05 7:06a mfyuv.dll
BGMFUSB DLL 227,104 03-16-05 7:06a BgmfUSB.dll
MDAFD DLL 227,104 03-16-05 7:06a MDAFD.DLL
JOMP500 DLL 227,104 03-16-05 7:06a JOMP500.DLL
BANDFILE DLL 227,104 03-16-05 7:06a BANDFILE.DLL
AASTREAM DLL 227,104 03-16-05 7:06a AASTREAM.DLL
DXIMAN32 DLL 227,104 03-16-05 7:06a DXIMAN32.DLL
JFVALE DLL 227,104 03-16-05 7:06a JFVALE.DLL
IDDKCS32 DLL 227,104 03-16-05 7:06a IDDKCS32.DLL
POUSTAB DLL 227,104 03-16-05 7:06a POUSTAB.DLL
SXLWOA DLL 227,104 03-16-05 7:06a SXLWOA.DLL
CQRESRC DLL 227,104 03-16-05 7:06a CQRESRC.DLL
MRBRKR12 DLL 227,104 03-16-05 7:06a MRBRKR12.DLL
OJE2NLS DLL 227,104 03-16-05 7:06a OJE2NLS.DLL
VXODCTL DLL 227,104 03-16-05 7:06a VXODCTL.DLL
DXNDI DLL 227,104 03-16-05 7:06a DXNDI.DLL
IK509CLS DLL 227,104 03-16-05 7:06a IK509CLS.DLL
BXWEBINS DLL 227,104 03-16-05 7:06a BxWebIns.dll
AVDENC32 DLL 227,104 03-16-05 7:06a AVDENC32.DLL
ONECNV32 DLL 227,104 03-16-05 7:06a ONECNV32.DLL
TZBINF32 DLL 227,104 03-16-05 7:06a TZBINF32.DLL
WFLSOF32 DLL 227,104 03-16-05 7:06a Wflsof32.dll
MZAFD DLL 227,104 03-16-05 7:06a MZAFD.DLL
DYDXOF DLL 227,104 03-16-05 7:06a DYDXOF.DLL
ACFERROR DLL 227,104 03-16-05 7:06a acferror.dll
IDCTL DLL 227,104 03-16-05 7:06a idctl.dll
MCPCIC DLL 227,104 03-16-05 7:06a MCPCIC.DLL
MLAFD DLL 227,104 03-16-05 7:06a MLAFD.DLL
OQBC32GT DLL 227,104 03-16-05 7:06a OQBC32GT.DLL
CWRESRC DLL 227,104 03-16-05 7:06a CWRESRC.DLL
MPCMS DLL 227,104 03-16-05 7:06a MPCMS.DLL
RYR20 DLL 227,104 03-16-05 7:06a RYR20.DLL
NMDLL DLL 227,104 03-16-05 7:06a NMDLL.DLL
PBS DLL 227,104 03-16-05 7:06a pbs.dll
SCORAGE DLL 227,104 03-16-05 7:06a SCORAGE.DLL
RZCHED DLL 227,104 03-16-05 7:06a RZCHED.DLL
DINADDR DLL 227,104 03-16-05 7:06a dinaddr.dll
ITONLIB DLL 227,104 03-16-05 7:06a ITONLIB.DLL
IP1CM DLL 227,104 03-16-05 7:06a IP1cm.dll
PEUSTAB DLL 227,104 03-16-05 7:06a PEUSTAB.DLL
MFACM DLL 227,104 03-16-05 7:06a MFACM.DLL
OHFOX32 DLL 227,104 03-16-05 7:06a OHFOX32.DLL
JDT DLL 227,104 03-16-05 7:06a JDT.DLL
RXCLTC6 DLL 227,104 03-16-05 7:06a RXCLTC6.DLL
MFAWT DLL 227,104 03-16-05 7:06a MFAWT.DLL
RHVPSP DLL 227,104 03-16-05 7:06a RHVPSP.DLL
IFCFGDLL DLL 227,104 03-16-05 7:06a IFCFGDLL.DLL
JMID500 DLL 227,104 03-16-05 7:06a JMID500.DLL
RUAUI DLL 227,104 03-15-05 3:33p RUAUI.DLL
LEME_ENC DLL 227,104 03-15-05 3:33p lEme_enc.dll
MMGSYS DLL 227,104 03-15-05 3:33p MMGSYS.DLL
MMMIXMGR DLL 227,104 03-15-05 3:33p MMMIXMGR.DLL
MKIMRT16 DLL 227,104 03-08-05 5:32p MKIMRT16.DLL
MFOSS DLL 227,104 03-08-05 5:32p MFOSS.DLL
QSSNAME DLL 227,104 03-08-05 5:32p QSSNAME.DLL
PIGFILT DLL 227,104 03-08-05 5:32p pigfilt.dll
REAUI DLL 227,104 03-08-05 5:32p REAUI.DLL
MZVCIRT DLL 227,104 03-08-05 5:32p mzvcirt.dll
NERSNL DLL 227,104 03-08-05 5:32p NERSNL.DLL
IPSENG DLL 227,104 03-08-05 2:31p IPSENG.DLL
AXRIP DLL 227,104 03-08-05 2:31p axrip.dll
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
97 file(s) 22,082,956 bytes
0 dir(s) 9,423.34 MB free

------- Hidden Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 04-16-05 3:52p nsvsvc
FOLDER HTT 13,122 03-26-05 11:58a folder.htt
DESKTOP INI 266 03-26-05 11:58a desktop.ini
PROSETP GID 24,200 03-26-05 9:15a PROSETP.GID
PICSVR <DIR> 03-25-05 8:51p picsvr
VMSS <DIR> 03-06-05 6:30p vmss
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
VX0 NLS 8,192 11-01-04 7:47p VX0.NLS
6 file(s) 553,856 bytes
3 dir(s) 9,423.33 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{305938A1-9132-56EB-379D-BFFE055C0FC5}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vw4en16.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
osethk32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vhr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ojfil400.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dgcprop.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
folder.htt Sat Mar 26 2005 11:58:40a ...H. 13,122 12.81 K
idm32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
desktop.ini Sat Mar 26 2005 11:58:40a ...H. 266 0.26 K
ouecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jraw400.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mump3wav.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
uhp10.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mljeto~1.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
prosetp.gid Sat Mar 26 2005 9:15:36a A..H. 24,200 23.63 K
vbhelper.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
woicore.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cptdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
psbdlg.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
fisrch.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
id50_qc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tnd32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sdlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ipseng.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
mkimrt16.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mfoss.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
qssname.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
pigfilt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
reaui.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
axrip.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
ruaui.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mzvcirt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
leme_enc.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmgsys.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmmixmgr.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mxcpxl32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nersnl.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mqc42enu.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rvaui.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mwafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzcrlrev.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vgr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nis.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
skscrap.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sclstr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ted32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
srem0409.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nos.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mhstdfmt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
shsthunk.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfyuv.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bgmfusb.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mdafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jomp500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bandfile.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
aastream.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dximan32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jfvale.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
iddkcs32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
poustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sxlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cqresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mrbrkr12.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oje2nls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vxodctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dxndi.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ik509cls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bxwebins.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
avdenc32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
onecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tzbinf32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
wflsof32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dydxof.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
acferror.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
idctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mcpcic.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mlafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oqbc32gt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cwresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mpcms.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ryr20.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nmdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
pbs.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
scorage.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rzched.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dinaddr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
itonlib.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ip1cm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
peustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ohfox32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jdt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rxcltc6.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfawt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rhvpsp.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ifcfgdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jmid500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K

98 items found: 98 files, 0 directories.
Total of file sizes: 21,612,468 bytes 20.61 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: c:\Projects\Gozo\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\hmrho.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"EnsoniqMixer"="C:\\WINDOWS\\starter.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



Again, other than the pop-ups, my system appears to be running much better than before (faster, that is). What next? By the way, what is the significance of "Efwis"? Did a Google search, but first few pages all related to your work providing advice on removing malware. Was hoping to find something that might relate to your dragon icon, but no joy. You don't really have to answer that, just curious. :tazz:

Have a good day,
DR04
  • 0

#64
Dragon
Posted 22 April 2005 - 05:50 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
hi DR04,


could you please find this file, zip it up and then submit it here after it has been investigated I will post a reply.

C:\WINDOWS\rdxrncm.exe

As for the Efwis thing, I don't mind telling you what the significance is. While I was living in Wisconsin, I needed a new screen name, as usual all the good ones were taken, so I created it using my initals and then tacking wis on the end for Wisconsin. As for the Dragon. Well, I am a huge fan of Dragons, wizardry, and the like.
I also right books as a hobby, have one I'm currently looking for a publisher that would be interested in publishing it. Anyway, the dragon Efwis will be making an appearance in my next book I write. :tazz:

Edited by Efwis, 22 April 2005 - 05:52 AM.

  • 0

#65
DR04
Posted 22 April 2005 - 08:55 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Will do that tonight when I get home.

Makes sense to me. What kind of books?

Have a good day!
DR
  • 0

#66
Dragon
Posted 22 April 2005 - 09:45 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
mostly sci-fi, I dabble a little in fantasy but not much, I like to read a lot of it though.
  • 0

#67
Dragon
Posted 23 April 2005 - 05:31 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
hi DR04,

I think we may have found it, but I need to be sure, could you post a regular hijack this log for a final review.
After that find that file again and delete it. This is what it is:

The file rdxrncm.zip: Trojan horse Downloader.Small.33.BL.

then post another startup log and hijack this log afterwards, and tell me how your system is running.
  • 0

#68
DR04
Posted 23 April 2005 - 06:24 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

I've deleted the rdxrncm.zip file. Am I supposed to delete the rdxrncm.exe file, too? There is also a file name rdxrncm.lgc in the C:\WINDOWS\APPLOG directory. Should I delete that, too? Won't run the startlog and new HJT until you let me know about those two files. Also, it's been my experience that I can't always delete an .exe file because it is 'in use'. If I get that msg when I try to delete it, what do you suggest?

Here's the regular HJT. Let me know about the above. Have a good one.
DR04

Logfile of HijackThis v1.99.1
Scan saved at 8:20:30 AM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#69
Dragon
Posted 23 April 2005 - 06:32 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
delete all files that are listed as rdxrncm. From what I am seeing my suspicions are correct. This file does not show up in your regular hijack This log.

if you get the message that you can't delete the file becasue it is in use, reboot into safe mode and try. If that still doesn't work then download the free trial of http://www.misec.net...rojanHunter.exe

this will disable the program and remove it. you can do that in Normal Mode.
  • 0

#70
DR04
Posted 23 April 2005 - 08:07 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

OK. Deleted both occurrences of the filename. Ran HJT startlog after running the regular HJT (both posted below). Also ran FindIt just for the heck of it (also posted below). I got one pop-up while FindIt was running, but that may be due to the fact that I didn't reboot after deleting the files (you tell me). Anyway, here are the logs:

StartupList report, 4/23/05, 9:32:35 AM
StartupList version: 1.52.2
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
EnsoniqMixer = C:\WINDOWS\starter.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
vptray = C:\PROGRA~1\NORTON~1\vptray.exe
CreateCD = C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NMSSvc = C:\WINDOWS\SYSTEM\NMSSVC.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
rtvscn95 = C:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch = C:\PROGRA~1\NORTON~1\defwatch.exe
SchedulingAgent = mstask.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[e2f574c0-746b-11d9-87f4-00a0c9e4fda2] *
StubPath = C:\WINDOWS\rdxrncm.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/4/2005, 3:45:12)

[rename]
NUL=C:\WINDOWS\SYSTEM\OME2DISP.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File not found*

--------------------------------------------------

C:\CONFIG.SYS listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:


--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37978.6034375

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ITDETECTOR.OCX
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[GDIChk Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDICHK.DLL
CODEBASE = http://www.microsoft...DI/0/GDIChk.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://www.popcap.co...aploader_v6.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #5: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #6: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #9: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NWLink: nwlink.vxd
VSERVER: vserver.vxd
ASPIENUM: ASPIENUM.VXD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,332 bytes
Report generated in 0.351 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Logfile of HijackThis v1.99.1
Scan saved at 9:33:23 AM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

VW4EN16 DLL 227,104 03-16-05 7:06a VW4EN16.DLL
OSETHK32 DLL 227,104 03-16-05 7:06a OSETHK32.DLL
VHR DLL 227,104 03-16-05 7:06a VHR.DLL
OJFIL400 DLL 227,104 03-16-05 7:06a OJFIL400.DLL
DIRAW DLL 227,104 03-16-05 7:06a DIRAW.DLL
IDM32 DLL 227,104 03-16-05 7:06a IDM32.DLL
OUECNV32 DLL 227,104 03-16-05 7:06a OUECNV32.DLL
JRAW400 DLL 227,104 03-16-05 7:06a jraw400.dll
MUMP3WAV DLL 227,104 03-16-05 7:06a mump3wav.dll
UHP10 DLL 227,104 03-16-05 7:06a uhp10.dll
MLJETO~1 DLL 227,104 03-16-05 7:06a mljetoledb40.dll
VBHELPER DLL 227,104 03-16-05 7:06a VBHELPER.DLL
WOICORE DLL 227,104 03-16-05 7:06a WOICORE.DLL
CPTDLL DLL 227,104 03-16-05 7:06a CPTDLL.DLL
PSBDLG DLL 227,104 03-16-05 7:06a PSBDLG.DLL
FISRCH DLL 227,104 03-16-05 7:06a FISRCH.DLL
ID50_QC DLL 227,104 03-16-05 7:06a Id50_qc.dll
TND32 DLL 227,104 03-16-05 7:06a TND32.DLL
SDLWOA DLL 227,104 03-16-05 7:06a SDLWOA.DLL
MXCPXL32 DLL 227,104 03-16-05 7:06a MXCPXL32.DLL
MZACM DLL 227,104 03-16-05 7:06a MZACM.DLL
MQC42ENU DLL 227,104 03-16-05 7:06a MQC42ENU.DLL
RVAUI DLL 227,104 03-16-05 7:06a RVAUI.DLL
MWAFD DLL 227,104 03-16-05 7:06a MWAFD.DLL
MZCRLREV DLL 227,104 03-16-05 7:06a mzcrlrev.dll
VGR DLL 227,104 03-16-05 7:06a VGR.DLL
NIS DLL 227,104 03-16-05 7:06a NIS.DLL
SKSCRAP DLL 227,104 03-16-05 7:06a SKSCRAP.DLL
SCLSTR DLL 227,104 03-16-05 7:06a SCLSTR.DLL
TED32 DLL 227,104 03-16-05 7:06a TED32.DLL
SREM0409 DLL 227,104 03-16-05 7:06a SREM0409.DLL
NOS DLL 227,104 03-16-05 7:06a NOS.DLL
MHSTDFMT DLL 227,104 03-16-05 7:06a MHSTDFMT.DLL
SHSTHUNK DLL 227,104 03-16-05 7:06a SHSTHUNK.DLL
MFYUV DLL 227,104 03-16-05 7:06a mfyuv.dll
BGMFUSB DLL 227,104 03-16-05 7:06a BgmfUSB.dll
MDAFD DLL 227,104 03-16-05 7:06a MDAFD.DLL
JOMP500 DLL 227,104 03-16-05 7:06a JOMP500.DLL
BANDFILE DLL 227,104 03-16-05 7:06a BANDFILE.DLL
AASTREAM DLL 227,104 03-16-05 7:06a AASTREAM.DLL
DXIMAN32 DLL 227,104 03-16-05 7:06a DXIMAN32.DLL
JFVALE DLL 227,104 03-16-05 7:06a JFVALE.DLL
IDDKCS32 DLL 227,104 03-16-05 7:06a IDDKCS32.DLL
POUSTAB DLL 227,104 03-16-05 7:06a POUSTAB.DLL
SXLWOA DLL 227,104 03-16-05 7:06a SXLWOA.DLL
CQRESRC DLL 227,104 03-16-05 7:06a CQRESRC.DLL
MRBRKR12 DLL 227,104 03-16-05 7:06a MRBRKR12.DLL
OJE2NLS DLL 227,104 03-16-05 7:06a OJE2NLS.DLL
VXODCTL DLL 227,104 03-16-05 7:06a VXODCTL.DLL
DXNDI DLL 227,104 03-16-05 7:06a DXNDI.DLL
IK509CLS DLL 227,104 03-16-05 7:06a IK509CLS.DLL
BXWEBINS DLL 227,104 03-16-05 7:06a BxWebIns.dll
AVDENC32 DLL 227,104 03-16-05 7:06a AVDENC32.DLL
ONECNV32 DLL 227,104 03-16-05 7:06a ONECNV32.DLL
TZBINF32 DLL 227,104 03-16-05 7:06a TZBINF32.DLL
WFLSOF32 DLL 227,104 03-16-05 7:06a Wflsof32.dll
MZAFD DLL 227,104 03-16-05 7:06a MZAFD.DLL
DYDXOF DLL 227,104 03-16-05 7:06a DYDXOF.DLL
ACFERROR DLL 227,104 03-16-05 7:06a acferror.dll
IDCTL DLL 227,104 03-16-05 7:06a idctl.dll
MCPCIC DLL 227,104 03-16-05 7:06a MCPCIC.DLL
MLAFD DLL 227,104 03-16-05 7:06a MLAFD.DLL
OQBC32GT DLL 227,104 03-16-05 7:06a OQBC32GT.DLL
CWRESRC DLL 227,104 03-16-05 7:06a CWRESRC.DLL
MPCMS DLL 227,104 03-16-05 7:06a MPCMS.DLL
RYR20 DLL 227,104 03-16-05 7:06a RYR20.DLL
NMDLL DLL 227,104 03-16-05 7:06a NMDLL.DLL
PBS DLL 227,104 03-16-05 7:06a pbs.dll
SCORAGE DLL 227,104 03-16-05 7:06a SCORAGE.DLL
RZCHED DLL 227,104 03-16-05 7:06a RZCHED.DLL
DINADDR DLL 227,104 03-16-05 7:06a dinaddr.dll
ITONLIB DLL 227,104 03-16-05 7:06a ITONLIB.DLL
IP1CM DLL 227,104 03-16-05 7:06a IP1cm.dll
PEUSTAB DLL 227,104 03-16-05 7:06a PEUSTAB.DLL
MFACM DLL 227,104 03-16-05 7:06a MFACM.DLL
OHFOX32 DLL 227,104 03-16-05 7:06a OHFOX32.DLL
JDT DLL 227,104 03-16-05 7:06a JDT.DLL
RXCLTC6 DLL 227,104 03-16-05 7:06a RXCLTC6.DLL
MFAWT DLL 227,104 03-16-05 7:06a MFAWT.DLL
RHVPSP DLL 227,104 03-16-05 7:06a RHVPSP.DLL
IFCFGDLL DLL 227,104 03-16-05 7:06a IFCFGDLL.DLL
JMID500 DLL 227,104 03-16-05 7:06a JMID500.DLL
RUAUI DLL 227,104 03-15-05 3:33p RUAUI.DLL
LEME_ENC DLL 227,104 03-15-05 3:33p lEme_enc.dll
MMGSYS DLL 227,104 03-15-05 3:33p MMGSYS.DLL
MMMIXMGR DLL 227,104 03-15-05 3:33p MMMIXMGR.DLL
MKIMRT16 DLL 227,104 03-08-05 5:32p MKIMRT16.DLL
MFOSS DLL 227,104 03-08-05 5:32p MFOSS.DLL
QSSNAME DLL 227,104 03-08-05 5:32p QSSNAME.DLL
PIGFILT DLL 227,104 03-08-05 5:32p pigfilt.dll
REAUI DLL 227,104 03-08-05 5:32p REAUI.DLL
MZVCIRT DLL 227,104 03-08-05 5:32p mzvcirt.dll
NERSNL DLL 227,104 03-08-05 5:32p NERSNL.DLL
IPSENG DLL 227,104 03-08-05 2:31p IPSENG.DLL
AXRIP DLL 227,104 03-08-05 2:31p axrip.dll
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
97 file(s) 22,082,956 bytes
0 dir(s) 9,400.30 MB free

------- Hidden Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 04-16-05 3:52p nsvsvc
FOLDER HTT 13,122 03-26-05 11:58a folder.htt
DESKTOP INI 266 03-26-05 11:58a desktop.ini
PROSETP GID 24,200 03-26-05 9:15a PROSETP.GID
PICSVR <DIR> 03-25-05 8:51p picsvr
VMSS <DIR> 03-06-05 6:30p vmss
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
VX0 NLS 8,192 11-01-04 7:47p VX0.NLS
6 file(s) 553,856 bytes
3 dir(s) 9,400.28 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{305938A1-9132-56EB-379D-BFFE055C0FC5}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vw4en16.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
osethk32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vhr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ojfil400.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
diraw.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
folder.htt Sat Mar 26 2005 11:58:40a ...H. 13,122 12.81 K
idm32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
desktop.ini Sat Mar 26 2005 11:58:40a ...H. 266 0.26 K
ouecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jraw400.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mump3wav.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
uhp10.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mljeto~1.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
prosetp.gid Sat Mar 26 2005 9:15:36a A..H. 24,200 23.63 K
vbhelper.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
woicore.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cptdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
psbdlg.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
fisrch.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
id50_qc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tnd32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sdlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ipseng.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
mkimrt16.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mfoss.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
qssname.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
pigfilt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
reaui.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
axrip.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
ruaui.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mzvcirt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
leme_enc.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmgsys.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmmixmgr.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mxcpxl32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nersnl.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mqc42enu.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rvaui.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mwafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzcrlrev.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vgr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nis.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
skscrap.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sclstr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ted32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
srem0409.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nos.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mhstdfmt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
shsthunk.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfyuv.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bgmfusb.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mdafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jomp500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bandfile.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
aastream.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dximan32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jfvale.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
iddkcs32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
poustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sxlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cqresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mrbrkr12.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oje2nls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vxodctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dxndi.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ik509cls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bxwebins.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
avdenc32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
onecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tzbinf32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
wflsof32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dydxof.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
acferror.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
idctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mcpcic.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mlafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oqbc32gt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cwresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mpcms.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ryr20.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nmdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
pbs.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
scorage.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rzched.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dinaddr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
itonlib.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ip1cm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
peustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ohfox32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jdt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rxcltc6.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfawt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rhvpsp.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ifcfgdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jmid500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K

98 items found: 98 files, 0 directories.
Total of file sizes: 21,612,468 bytes 20.61 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: c:\Projects\Gozo\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\hmrho.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"EnsoniqMixer"="C:\\WINDOWS\\starter.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"




Let me know what to do next.

DR04
  • 0

Advertisements

#71
DR04
Posted 23 April 2005 - 08:41 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
FYI, just checked and there were lots of pop-ups. :tazz:
  • 0

#72
Dragon
Posted 23 April 2005 - 09:27 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
reboot your computer then give me a new Hijack this log and startup list. I don't need anymore findit logs currently.

if that 98se folder opens up please open that folder and tell me what is listed inside of it. there may be a key in there that we don't know about

once you reboot that will remove that program from memory which will disable the process.

also please tell me how your system is working after the reboot.
  • 0

#73
DR04
Posted 23 April 2005 - 12:05 PM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Something is amiss. When I rebooted, I noticed that windows said it preparing to run for the first time (I have seen that on all the boot-ups recently, but didn't take much notice of it). After boot up, the C:\ folder opened as usual. Here's what was in there (an (H) after the folder or file name indicates a hidden file - on that was grayed out in appearance):

FOLDERS:
aboutbuster
Brother (probably from an old printer)
cabs
CanonBJC2100v683
Documents and Settings
Download
Encarta
hegames
HJT
IntelPRO (my ethernet card files)
Matrix Games
Mskids
My Documents
My Music
Program Files
Recycled
startdeck217
Tlcwin
unzipped
Westwood
Win98se
Windows
Wininst0.400
WUTemp (H)

FILES:
_NavCClt.log (H)
AlLog.txt
appsetup.exe
Bootlog.prv (H)
Bootlog.txt (H)
Command.com
crash.txt
deskbar.ini
Detcrash.log (H)
Detlog.old (H)
Detlog.txt (H)
exStub.exe
Frontpg.log
Frunlog.txt
installer.exe
IO.sys (H)
Iph.ph (H)
keys.ini (H)
logo.sys
Lswmv.ini (H)
Msdos.--- (H)
Msdos.bak (H)
Msdos.sys (H)
MTE1Mzc6ODoxMg.exe
n20050308.exe
Netlog.txt
Scandisk.log
setup74.exe
Setuplog.old
Setuplog.txt
Setupxlg.txt
Shortcut to Willow Grove Phone Numbers.doc
Suhdlog.--- (H)
suhdlog.bak (H)
Suhdlog.dat
System.1st (H)
W98undo.dat (H)
W98undo.ini (H)
Winboot.ini (H)
WINDOWSWinHlp32.BMK
WrapperOuter.exe
ZFicons.exe

While writing all this down, a Norton AV realtime protection window popped up and said:

Event: Virus Found
Virus Name: Download. Trojan
File: C:\WINDOWS\isrvs\sysupd.dll
Location: Quarantine
Action: Clean failed : Quarantine succeeded " Access denied

I ran a virus scan this morning with negative results. I checked and the isrvs folder exists, but the sysupd.dll file was not there (must be in quarantine). Thought we got RID of irsvs?

Anyway, there we also two icons added to my desktop (they have come and gone before)

Spyware Avenger
MD-DOS name: SPYWAR~1.LNK
Target: http://in.spywareave...ck/NzlyMDozOjg/

Virus Hunter Security
MS-DOS name: VIRUSH~1.LNK
Target: http://in.virushunte...ck/NzlyMDozOje/

Pop-ups are back with a vengeance. I know that my son was 'chatting' on-line using AIM while I was out, but don't believe any surfing was done. Here's the HJT and startup list you requested:

Logfile of HijackThis v1.99.1
Scan saved at 2:05:10 PM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

StartupList report, 4/23/05, 2:06:07 PM
StartupList version: 1.52.2
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
EnsoniqMixer = C:\WINDOWS\starter.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
vptray = C:\PROGRA~1\NORTON~1\vptray.exe
CreateCD = C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
Desktop Search = C:\WINDOWS\isrvs\desktop.exe
ffis = C:\WINDOWS\isrvs\ffisearch.exe
tsvcin = C:\N20050308.EXE
Nsv = C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
picsvr = C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NMSSvc = C:\WINDOWS\SYSTEM\NMSSVC.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
rtvscn95 = C:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch = C:\PROGRA~1\NORTON~1\defwatch.exe
SchedulingAgent = mstask.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

eZmmod = C:\PROGRA~1\ezula\mmod.exe
eZWO = C:\PROGRA~1\Web Offer\wo.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[e2f574c0-746b-11d9-87f4-00a0c9e4fda2] *
StubPath = C:\WINDOWS\rdxrncm.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 23/4/2005, 13:44:52)

[rename]
NUL=APPSETUP.EXE

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/4/2005, 13:19:4)

[rename]
NUL=C:\WINDOWS\SYSTEM\DIRAW.DLLȤ

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File not found*

--------------------------------------------------

C:\CONFIG.SYS listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:


--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37978.6034375

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ITDETECTOR.OCX
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[GDIChk Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDICHK.DLL
CODEBASE = http://www.microsoft...DI/0/GDIChk.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://www.popcap.co...aploader_v6.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #5: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #6: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #9: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NWLink: nwlink.vxd
VSERVER: vserver.vxd
ASPIENUM: ASPIENUM.VXD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,741 bytes
Report generated in 0.244 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks,
DR04
  • 0

#74
DR04
Posted 24 April 2005 - 08:16 AM

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Ran SpyBot and AdAware this AM. All my favorites are back including VX2/f. The Desktop Search toolbar is back, too. For whatever reason, AdAware did not lock up this time, but who knows why. Also, I'm having trouble with my CD drive (says there is a controller error - have to figure out how to fix that now). Anyway, here the HJT and startup logs from the runs I just did:

StartupList report, 4/24/05, 10:11:30 AM
StartupList version: 1.52.2
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
prup.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
EnsoniqMixer = C:\WINDOWS\starter.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
vptray = C:\PROGRA~1\NORTON~1\vptray.exe
Desktop Search = C:\WINDOWS\isrvs\desktop.exe
ffis = C:\WINDOWS\isrvs\ffisearch.exe
Nsv = C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
picsvr = C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
KavSvc = C:\WINDOWS\miampr.exe
autoupdate = rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
CreateCD = C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NMSSvc = C:\WINDOWS\SYSTEM\NMSSVC.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
rtvscn95 = C:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch = C:\PROGRA~1\NORTON~1\defwatch.exe
SchedulingAgent = mstask.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[e2f574c0-746b-11d9-87f4-00a0c9e4fda2]
StubPath = C:\WINDOWS\rdxrncm.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/4/2005, 23:9:4)

[rename]
NUL=C:\WINDOWS\SYSTEM\WVNGDE.DLLȤ

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File not found*

--------------------------------------------------

C:\CONFIG.SYS listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:


--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37978.6034375

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ITDETECTOR.OCX
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[GDIChk Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDICHK.DLL
CODEBASE = http://www.microsoft...DI/0/GDIChk.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://www.popcap.co...aploader_v6.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #5: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #6: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #9: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NWLink: nwlink.vxd
VSERVER: vserver.vxd
ASPIENUM: ASPIENUM.VXD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,794 bytes
Report generated in 0.331 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


StartupList report, 4/24/05, 10:11:30 AM
StartupList version: 1.52.2
Started from : C:\DOWNLOAD\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
prup.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
EnsoniqMixer = C:\WINDOWS\starter.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
IndexSearch = C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
SetDefPrt = C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
vptray = C:\PROGRA~1\NORTON~1\vptray.exe
Desktop Search = C:\WINDOWS\isrvs\desktop.exe
ffis = C:\WINDOWS\isrvs\ffisearch.exe
Nsv = C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
picsvr = C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
KavSvc = C:\WINDOWS\miampr.exe
autoupdate = rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
CreateCD = C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

NMSSvc = C:\WINDOWS\SYSTEM\NMSSVC.EXE
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
rtvscn95 = C:\PROGRA~1\NORTON~1\rtvscn95.exe
defwatch = C:\PROGRA~1\NORTON~1\defwatch.exe
SchedulingAgent = mstask.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplay98.inf,PerUserStub

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserStub

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[PerUser_DCC_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis 64 C:\WINDOWS\INF\rna.inf

[e2f574c0-746b-11d9-87f4-00a0c9e4fda2]
StubPath = C:\WINDOWS\rdxrncm.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/4/2005, 23:9:4)

[rename]
NUL=C:\WINDOWS\SYSTEM\WVNGDE.DLLȤ

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File not found*

--------------------------------------------------

C:\CONFIG.SYS listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:


--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37978.6034375

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[iTunesDetector Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ITDETECTOR.OCX
CODEBASE = http://ax.phobos.app.../ITDetector.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[GDIChk Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GDICHK.DLL
CODEBASE = http://www.microsoft...DI/0/GDIChk.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros.../i386/wmvax.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.micros...ontent/opuc.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://www.popcap.co...aploader_v6.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #3: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #4: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #5: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #6: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #7: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #8: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #9: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NWLink: nwlink.vxd
VSERVER: vserver.vxd
ASPIENUM: ASPIENUM.VXD

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 23,794 bytes
Report generated in 0.331 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Ain't life grand? :tazz:
DR04
  • 0

#75
Dragon
Posted 24 April 2005 - 10:12 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
i'll have to do a little research on this, not sure where we need to go right at this moment. hopefully I will have an answer by tomorrow afternoon or evening.

As for the search bars coming back. there are only 2 ways for this to occur once we remove the folders.

A) link clicking while online
B) someone is reinstalling it.

you also have a few more new infections that showed up. I am currently away from my computer so I don't have all my necessary tools to assist in this situation. but will be back tonight so I can search first thing in the AM
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP