shellexp.exe popup - rabidscouser

I have Shellexp on my machine

Logfile of HijackThis v1.97.3
Scan saved at 00:40:21, on 04/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\expup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\shellexp.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Leo Matlock\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\System32\expup.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rundll32] C:\Documents and Settings\Leo Matlock\rundll32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Win32 Classes -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://connect.olympustele.com/dialer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - http://econnect.libereco.net/econnect.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

thanks for this great service, sorry to be brieft and seemingly ungrateful I am grateful just very tired.

 

Okay, somehow your output has changed since I started analyzing it and the post was moved. Rather than reanalyze it again from scratch I am posting the original analyses minus all the R1 and R0 entries that had since been removed. If you fail to find something I say you should remove than you already removed it

Hi RabidScouser!

Welcome to Wilders!

First, can you please download and run CWShredder from

http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

Once this has run its course, please close out of all other programs / windows and end the following processes

C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\svcinit.exe
C:\WINDOWS\System32\shellexp.exe
C:\WINDOWS\System32\svc.exe

select and fix the following from within HijackThis (CW Shredder will take care of some but I list them here for the sake of completeness)


R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\System32\expext.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\SYSTEM32\BrowserHelper.dll
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\System32\expup.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKCU\..\Run: [rundll32] C:\Documents and Settings\Leo Matlock\rundll32.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00052\736789.exe -remove
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://connect.olympustele.com/dialer.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - http://econnect.libereco.net/econnect.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O19 - User stylesheet: C:\WINDOWS\Web\win.def (file missing)
O19 - User stylesheet: C:\WINDOWS\default.css (file missing) (HKLM)

then do a reboot and delete the following;

C:\Program Files\Power Scan (the entire folder)
C:\Program Files\ISTsvc (the entire folder)
C:\WINDOWS\System32\expup.exe
C:\Documents and Settings\Leo Matlock\rundll32.exe
c:\program files\GlobalDialer\tonex00052\736789.exe
C:\Program Files\Common Files\GMT (the entire folder)
C:\WINDOWS\System32\DReplace.dll
C:\WINDOWS\System32\expext.dll
C:\PROGRA~1\BARGAI~1\bin\apuc.dll
C:\WINDOWS\SYSTEM32\BrowserHelper.dll

and then search for and delete the following files

tapicfg.exe
msapp.exe
winmain.exe

and then...

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.


Thanks,

Dan

 

I folloewd your instructions, thanks alot, but I could not close down the SVChost process as a warning message would come up and a countdown from 60 seconds then my Pc would restart the message said... windows is shutting down please save all work in progress and log off this has been iniated by NT authority/system this is because remotre procedure call terminated ...but i did the rest

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Leo Matlock@LEO, 11-04-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\DOCUME~1\LEOMAT~1\LOCALS~1\TEMPOR~1\Content.IE5\AX47YDA5\OD-STN~1.EXE
NUL=C:\WINDOWS\243059.exe
NUL=C:\WINDOWS\1743066.exe
NUL=c:\program files\GlobalDialer\tonex00052\1743066.exe
NUL=c:\program files\GlobalDialer\tonex00052\047.dat
NUL=c:\program files\GlobalDialer\tonex00052\
NUL=C:\WINDOWS\3461307.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\3461307.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\3461307.exe
NUL=C:\WINDOWS\2644853.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\2644853.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\3269771.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\3269771.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\4740436.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\4740436.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\5523482.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\5523482.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\5538073.exe
NUL=C:\WINDOWS\6110987.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\6110987.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\7951032.exe
NUL=C:\WINDOWS\8260808.exe
NUL=C:\WINDOWS\8286094.exe
NUL=c:\program files\GlobalDialer\tonex00052\8286094.exe
NUL=c:\program files\GlobalDialer\tonex00052\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\3444372.exe
NUL=C:\WINDOWS\3755870.exe
NUL=C:\WINDOWS\4413756.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\4413756.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\6816461.exe
NUL=C:\WINDOWS\7841265.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\7841265.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
c:\windows\wininit.bak [rename]
DIRNUL=C:\WINDOWS\system\precopy
c:\windows\system.ini [drivers]
timer=timer.drv
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
midi=mmsystem.dll
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system32\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AS00_Netgear
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IST Service
C:\Program Files\ISTsvc\istsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
C:\WINDOWS\System32\shellexp.exe en
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\li-tzone00028
c:\program files\Webdialer\li-tzone00028.exe -m
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Tune-up Application Start.job
walign
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\SYSTEM32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\
rundll32 iesetup.dll,IEAccessUserInst
HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\GEARSecurity\
C:\WINDOWS\System32\GEARSEC.EXE
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\NAV Auto-Protect\
C:\PROGRA~1\Navnt\navapsvc.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\Norton Program Scheduler\
C:\PROGRA~1\Navnt\npssvc.exe
HKLM\System\CurrentControlSet\Services\NProtectService\
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SAVRTPEL\
\??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmdmPmSp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

 

Hi rabidscouse,

Did you follow Dan's instructions before you made the ASViewer log?

I see a lot of familiar ones in there, that should have been gone if you did.

Regards,

Pieter

 

I folowed them but as I said I could not get rid of svcholst from processes there were about four svchost processes on newtwork and local server and some blank in that section. I could always delete three but the lsat would not delete, and would result in the error message and PC rebooting which may have affected the rest of the prodecure I was instructed to follow.

 

Hi Rabidscouser

I don't see SVChost mentioned in Dan's post, and I don't think Dan wanted you to end the SVChost process. SVChost.exe is a system process that shouldn't be terminated (you found out the hard way).

Please re-read Dan's post carefully. It seems he wanted you to:
(1) Run CWShredder
(2) Then terminate :
istsvc.exe
svcinit.exe
shellexp.exe
svc.exe
(3) Then use HijackThis...
etc. ...

Regards,
Optigrab

 

okay thanks, oh and by the way ... found out the hard way, three times.

 

Okay I redid the process (properly) and this is my results soryr about this and thanks for all your help

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Leo Matlock@LEO, 11-04-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\DOCUME~1\LEOMAT~1\LOCALS~1\TEMPOR~1\Content.IE5\AX47YDA5\OD-STN~1.EXE
NUL=C:\WINDOWS\243059.exe
NUL=C:\WINDOWS\1743066.exe
NUL=c:\program files\GlobalDialer\tonex00052\1743066.exe
NUL=c:\program files\GlobalDialer\tonex00052\047.dat
NUL=c:\program files\GlobalDialer\tonex00052\
NUL=C:\WINDOWS\3461307.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\3461307.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\3461307.exe
NUL=C:\WINDOWS\2644853.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\2644853.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\3269771.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\3269771.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\4740436.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\4740436.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\5523482.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\5523482.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\5538073.exe
NUL=C:\WINDOWS\6110987.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\6110987.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\7951032.exe
NUL=C:\WINDOWS\8260808.exe
NUL=C:\WINDOWS\8286094.exe
NUL=c:\program files\GlobalDialer\tonex00052\8286094.exe
NUL=c:\program files\GlobalDialer\tonex00052\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\3444372.exe
NUL=C:\WINDOWS\3755870.exe
NUL=C:\WINDOWS\4413756.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\4413756.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\6816461.exe
NUL=C:\WINDOWS\7841265.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\7841265.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
c:\windows\wininit.bak [rename]
DIRNUL=C:\WINDOWS\system\precopy
c:\windows\system.ini [drivers]
timer=timer.drv
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
midi=mmsystem.dll
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system32\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AS00_Netgear
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
C:\WINDOWS\System32\shellexp.exe en
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\li-tzone00028
c:\program files\Webdialer\li-tzone00028.exe -m
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Tune-up Application Start.job
walign
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\SYSTEM32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\
rundll32 iesetup.dll,IEAccessUserInst
HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\GEARSecurity\
C:\WINDOWS\System32\GEARSEC.EXE
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\NAV Auto-Protect\
C:\PROGRA~1\Navnt\navapsvc.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\Norton Program Scheduler\
C:\PROGRA~1\Navnt\npssvc.exe
HKLM\System\CurrentControlSet\Services\NProtectService\
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SAVRTPEL\
\??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmdmPmSp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

 

Hi rabidscouser,

Please proceed as follows

Click Start > Run > type or copy&paste msconfig > OK
On the Startup tab remove the checkmarks before:
- shellexp.exe en
- li-tzone00028.exe -m

On the General tab, click Selective Startup, and click to clear the Process Win.ini File.

Then reboot and delete:
C:\WINDOWS\System32\shellexp.exe
c:\program files\GlobalDialer <= entire folder

Keep us posted,

Pieter

 

I did it, there was no shellexp in msconfig and the filkes i had to exist didn't exist so here goes it does not show either of them as a process when I checked...

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Leo Matlock@LEO, 11-05-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
NUL=C:\DOCUME~1\LEOMAT~1\LOCALS~1\TEMPOR~1\Content.IE5\AX47YDA5\OD-STN~1.EXE
NUL=C:\WINDOWS\243059.exe
NUL=C:\WINDOWS\1743066.exe
NUL=c:\program files\GlobalDialer\tonex00052\1743066.exe
NUL=c:\program files\GlobalDialer\tonex00052\047.dat
NUL=c:\program files\GlobalDialer\tonex00052\
NUL=C:\WINDOWS\3461307.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\3461307.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\3461307.exe
NUL=C:\WINDOWS\2644853.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\2644853.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\3269771.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\3269771.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\4740436.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\4740436.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\5523482.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\5523482.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\5538073.exe
NUL=C:\WINDOWS\6110987.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\6110987.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\7951032.exe
NUL=C:\WINDOWS\8260808.exe
NUL=C:\WINDOWS\8286094.exe
NUL=c:\program files\GlobalDialer\tonex00052\8286094.exe
NUL=c:\program files\GlobalDialer\tonex00052\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\3444372.exe
NUL=C:\WINDOWS\3755870.exe
NUL=C:\WINDOWS\4413756.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\4413756.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\6816461.exe
NUL=C:\WINDOWS\7841265.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\7841265.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\WINDOWS\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=C:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\736789.exe
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\047.dat
NUL=c:\PROGRA~1\GLOBAL~1\TONEX0~1\
c:\windows\wininit.bak [rename]
DIRNUL=C:\WINDOWS\system\precopy
c:\windows\system.ini [drivers]
timer=timer.drv
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
midi=mmsystem.dll
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system32\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AS00_Netgear
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
C:\Program Files\QuickTime\qttask.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
C:\WINDOWS\System32\shellexp.exe en
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Tune-up Application Start.job
walign
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\SYSTEM32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\
rundll32 iesetup.dll,IEAccessUserInst
HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ccEvtMgr\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\GEARSecurity\
C:\WINDOWS\System32\GEARSEC.EXE
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\NAV Auto-Protect\
C:\PROGRA~1\Navnt\navapsvc.exe
HKLM\System\CurrentControlSet\Services\navapsvc\
C:\Program Files\Norton AntiVirus\navapsvc.exe
HKLM\System\CurrentControlSet\Services\Norton Program Scheduler\
C:\PROGRA~1\Navnt\npssvc.exe
HKLM\System\CurrentControlSet\Services\NProtectService\
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SAVRTPEL\
\??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS
HKLM\System\CurrentControlSet\Services\SBService\
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SYMTDI\
\??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WmdmPmSp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

 

Hi rabidscouser,

I recommend that you rename your wininit.ini to something like wininit.suspect

Then using Autostart Viewer I would look for the following entry and right-click on it and select "Delete registry value" (be extra certain you are deleteing the right ones!)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
C:\WINDOWS\System32\shellexp.exe en

Then I would recommend that you download and install TDS from

http://tds.diamondcs.com.au/index.php?page=download

Once you have it installed and before you launch it you should manually download the latest database from that same page (save the file in the directory where you installed TDS

When you launch TDS you should set all the sensitivity settings to max and do a full scan.

You might also consider downloading PortExplorer from

http://www.diamondcs.com.au/portexplorer/

as this will show you all current connections or listening sockets/ports on your system. In particular you want to pay close attention to the remote and listening tabs to see if there is something out of place ( a program you can't account for or a remote site you have not visited)

Hope this helps

 

How Do I change the sensitivty settings?