Browser Attack nr2

Discussion in 'adware, spyware & hijack cleaning' started by mwwtups, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    Re: Browser Attack

    I haven't had time to work on the repair. However, I am posting another Log for computer # 2 at home. Can you help me with this one too?

    mwwtups

    Logfile of HijackThis v1.97.7
    Scan saved at 7:14:32 AM, on 6/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\TAYLOR'S STUFF\NEW FOLDER\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yi32tkzh.slt\prefs.js)
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\SYSTEM\supporter5.exe
    O4 - HKLM\..\Run: [WndMsg] C:\WINDOWS\kl4.cap
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I split this post off so as not to confuse anyone.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch

    O4 - HKLM\..\Run: [WndMsg] C:\WINDOWS\kl4.cap

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

    Then reboot.

    Could you please mail me a (preferably zipped) copy of:
    C:\WINDOWS\kl4.cap
    Use the address in my profile please.

    Regards,

    Pieter
     
  3. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    Here is the log for the last hijackthis run.

    I will tryto email the zip file as requested.

    mwwtups

    Logfile of HijackThis v1.97.7
    Scan saved at 1:14:50 PM, on 6/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\MARK'S FILE\COMPUTER FILE\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yi32tkzh.slt\prefs.js)
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\SYSTEM\supporter5.exe
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mwwtups,

    Yikes :eek: New cr@p :mad:

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL

    Then reboot and post a new log please.

    Regards,

    Pieter
     
  5. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    I deleted the files and rebooted. However, I ran the VX2 Finderand got anerror message of

    Finder is currently for NTbased systems.

    What next?

    mwwtups
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    o_O

    I should have been more clear, I wanted a new HijackThis log.

    Regards,

    Pieter
     
  7. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    Sorry about my ignorance on computers. Here is my log.

    mwwtups

    Logfile of HijackThis v1.97.7
    Scan saved at 8:26:59 AM, on 6/5/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\MARK'S FILE\COMPUTER FILE\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yi32tkzh.slt\prefs.js)
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\SYSTEM\supporter5.exe
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mwwtups,

    No problem. We all had to start at one time. :)

    Can you find this file: c:\windows\hosts
    Rightclick it and check when it was last changed.
    Try and let me know if that was about the time when you booted the computer or when you first accessed the internet.

    Regards,

    Pieter
     
  9. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    I have three unknown type of files with Host, Host.Sam and LHost.Sam that look like DOS names. Five more sub folders with the same type of information and ip addresses.

    Let me know what to do next.

    mwwtups
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi mwwtups,

    I need to know when hosts (no extension, it is named just that) was changed and what you're computer was doiung at the time that might have triggered it to change.

    Regards,

    Pieter
     
  11. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    It was modified today when I rebooted. It is Hosts with no particular typr of file. Hasthe Windows symbol which is uncrecognizable and asks which programs you want to use to open it up. Let me know.

    mwwtups
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    In HijackThis click Config > Misc Tools > Generate Startuplist
    This will produce a text file.
    Post the content please.

    Regards,

    Pieter
     
  13. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    Here is the startup log.

    mwwtups

    StartupList report, 6/7/04, 10:41:59 PM
    StartupList version: 1.52
    Started from : C:\MY DOCUMENTS\MARK'S FILE\COMPUTER FILE\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\MARK'S FILE\COMPUTER FILE\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    supporter5 = C:\WINDOWS\SYSTEM\supporter5.exe
    TaskMonitor = c:\windows\taskmon.exe
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    EnsoniqMixer = starter.exe
    ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    Symantec NetDriver Monitor = C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Nisum = c:\Program Files\Norton Internet Security\NISUM.EXE
    ccPxySvc = c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    ccEvtMgr = "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [SetupcPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf

    [AppletsPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf

    [FontsPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf

    [{5A8D6EE0-3E18-11D0-821E-444553540000}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

    [PerUser_ICW_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

    [>PerUser_MSN_Clean] *
    StubPath = c:\windows\msnmgsr1.exe

    [{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
    StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

    [PerUser_Msinfo] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf

    [PerUser_Msinfo2] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf

    [MotownMmsysPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf

    [MotownAvivideoPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf

    [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub

    [MotownMPlayPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf

    [PerUser_Base] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf

    [ShellPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf

    [Shell2PerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf

    [PerUser_winbase_Links] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf

    [PerUser_winapps_Links] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf

    [PerUser_LinkBar_URLs] *
    StubPath = c:\windows\COMMAND\sulfnbk.exe /L

    [TapiPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf

    [{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\webfdr16.inf,PerUserStub.Install,1

    [PerUserOldLinks] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf

    [MmoptRegisterPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf

    [OlsPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf

    [OlsMsnPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf

    [PerUser_Paint_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf

    [PerUser_Calc_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf

    [PerUser_dxxspace_Links] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf

    [PerUser_MSBackup_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf

    [PerUser_CVT_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf

    [PerUser_Enable_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf

    [MotownRecPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf

    [PerUser_Vol] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf

    [PerUser_MSWordPad_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf

    [PerUser_RNA_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf

    [PerUser_Wingames_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_Sysmon_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_Sysmeter_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_netwatch_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_CharMap_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_Onlinelnks_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_Dialer_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf

    [PerUser_ClipBrd_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf

    [MmoptMusicaPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf

    [MmoptJunglePerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf

    [MmoptRobotzPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf

    [MmoptUtopiaPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf

    [PerUser_CDPlayer_Inis] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [OlsAolPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf

    [OlsAttPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf

    [OlsCompuservePerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf

    [OlsProdigyPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf

    [Shell3PerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf

    [Theme_Windows_PerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf

    [Theme_MoreWindows_PerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf

    [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exeadvpack.dll

    [>IEPerUser] *
    StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

    [PerUser_Preptool] *
    StubPath = rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\WINDOWS\INF\RUNLAST.INF

    [Chl99] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [NetservrPerUser] *
    StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 c:\windows\INF\netservr.inf

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msmsgs.inf,BLC.Remove.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = c:\WINDOWS\SYSTEM\Rundll32.exe c:\WINDOWS\SYSTEM\mscories.dll,Install

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.INI listing:

    *File not found*

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 7/6/2004, 17:40:32)

    [rename]
    NUL=C:\WINDOWS\SYSTEM\NMSWAN16.DLL

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    ECHO OFF
    REM [Header]
    ECHO OFF
    REM [CD-ROM Drive]
    REM [Miscellaneous]
    REM [Display]
    REM Environment Settings For McAfee VirusScan
    PATH C:\PROGRA~1\MICROS~4;%PATH%;C:\PROGRA~1\NETWOR~1\MCAFEE~1

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    REM [Header]
    REM == PISETUP Begin Delete ==
    REM == PISETUP End Delete ==
    REM [CD-ROM Drive]
    REM [Miscellaneous]
    REM [Display]

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    *File not found*

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    echo off
    REM Notes:
    REM DOSSTART.BAT is run whenenver you choose "Restart the computer
    REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
    REM you to load programs that you might not want loaded in Windows,
    REM (because they have functional equivalents) but that you do
    REM want loaded under MS-DOS. The two primary candidates for
    REM this are MSCDEX and a real mode driver for the mouse you ship
    REM with your system. Commands that you want present in both Windows
    REM and MS-DOS should be placed in the Autoexec.bat in the
    REM \Image directory of your reference server. Please note that for
    REM MSCDEX you will need to load the corresponding real-mode CD
    REM driver in Config.sys. This driver won't be used by Windows 98
    REM but will be available prior to and after Windows 98 exits.
    REM
    REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
    REM before Windows loads and access the CD-ROM. All you have to do
    REM is press F8 and then run DOSSTART to load MSCDEX and your real
    REM mode mouse driver (no need to remember the command line parameters
    REM for these two files.
    REM
    REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
    REM - The string following the /D: statement must explicitly match
    REM the string in CONFIG.SYS following your CD-ROM device driver.
    REM MSCDEX.EXE /D:OEMCD001 /l:d
    REM MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    *No BHO's found*

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    CODEBASE = file://c:\windows\Java\classes\xmldso.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [DirectAnimation Java Classes]
    CODEBASE = file://c:\windows\SYSTEM\dajava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Internet Explorer Classes for Java]
    CODEBASE = file://c:\windows\SYSTEM\iejava.cab
    OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{33564D57-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe

    [QDiagAOLCCUpdateObj Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\QDIAGCC.OCX
    CODEBASE = http://aolcc.aol.com/computercheckup/qdiagcc.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: c:\windows\SYSTEM\rnr20.dll
    Protocol #1: c:\windows\SYSTEM\msafd.dll
    Protocol #2: c:\windows\SYSTEM\msafd.dll
    Protocol #3: c:\windows\SYSTEM\msafd.dll
    Protocol #4: c:\windows\SYSTEM\rsvpsp.dll
    Protocol #5: c:\windows\SYSTEM\rsvpsp.dll

    --------------------------------------------------

    Enumerating Win9x VxD services:

    VNETSUP: vnetsup.vxd
    NDIS: ndis.vxd,ndis2sup.vxd
    JAVASUP: JAVASUP.VXD
    CONFIGMG: *CONFIGMG
    NTKern: *NTKERN
    VWIN32: *VWIN32
    VFBACKUP: *VFBACKUP
    VCOMM: *VCOMM
    IFSMGR: *IFSMGR
    IOS: *IOS
    MTRR: *mtrr
    SPOOLER: *SPOOLER
    UDF: *UDF
    VFAT: *VFAT
    VCACHE: *VCACHE
    VCOND: *VCOND
    VCDFSD: *VCDFSD
    VXDLDR: *VXDLDR
    VDEF: *VDEF
    VPICD: *VPICD
    VTD: *VTD
    REBOOT: *REBOOT
    VDMAD: *VDMAD
    VSD: *VSD
    V86MMGR: *V86MMGR
    PAGESWAP: *PAGESWAP
    DOSMGR: *DOSMGR
    VMPOLL: *VMPOLL
    SHELL: *SHELL
    PARITY: *PARITY
    BIOSXLAT: *BIOSXLAT
    VMCPD: *VMCPD
    VTDAPI: *VTDAPI
    PERF: *PERF
    VRTWD: c:\windows\SYSTEM\vrtwd.386
    VFIXD: c:\windows\SYSTEM\vfixd.vxd
    VNETBIOS: vnetbios.vxd
    TurboVBF: turbovbf.vxd
    VREDIR: vredir.vxd
    DFS: dfs.vxd
    NDISWAN: ndiswan.vxd
    VSERVER: vserver.vxd
    SYMTDI: SYMTDI.VXD

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 25,826 bytes
    Report generated in 0.359 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    It has to be VX2.

    Download:
    http://www.downloads.subratam.org/VX2Finder9x.exe

    For Win9x, it doesn't even require a reboot, just find files(verify they are not legitimate Windows files)

    -Select files and delete them all (Rundll32 & Explorer will end process leaving blank desktop)

    -User Agent$ Removes the User Agent String in Registry

    -Look2Me.reg Fixes the Double Quicklaunch toolbar.

    Regards,

    Pieter
     
  15. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    I have finished these tasks and ran another Hijack log for you to review.

    mwwtups

    Logfile of HijackThis v1.97.7
    Scan saved at 7:29:45 AM, on 6/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\MY DOCUMENTS\MARK'S FILE\COMPUTER FILE\HIJACKTHIS.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yi32tkzh.slt\prefs.js)
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\SYSTEM\supporter5.exe
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Excellent, that should do it.

    Fix these:
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch

    Or rename that hosts file (the one without the extension) to hosts.bak
    That will have the same effect.

    Regards,

    Pieter
     
  17. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    I ran the fix and here is the log again. What are the 016 files?

    mwwtups

    Logfile of HijackThis v1.97.7
    Scan saved at 5:30:36 PM, on 6/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\FREECELL.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\MARK'S FILE\COMPUTER FILE\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yi32tkzh.slt\prefs.js)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [supporter5] C:\WINDOWS\SYSTEM\supporter5.exe
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
    O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That log is clean. Good job. :cool:

    O16 = ActiveX elements or Downloaded Program Files.

    Long story: http://www.active-x.com/articles/whatis.htm

    What I understand is that they are little programs that save you time downloading when you visit sites where they are needed often.
    Naturally the option to put them on your computer is sometimes abused.

    Please also read: Why did I get infected in the first place

    Regards,

    Pieter
     
  19. mwwtups

    mwwtups Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    15
    Is there anything else I can remove to spead up the computer? It runs low on resources and you have to reboot often.


    mwwtups
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    These would be my first choices to disable:

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

    No need for them to be running all the time.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.