Can't fix spad/myexexex

Discussion in 'adware, spyware & hijack cleaning' started by tcoltrane, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    I have read several threads on this problem and have tried everything that has been suggested but I am still getting redirected to myexexex.com. It only happens twice a day, when I first get online. I can make it happen more by changing the system date. Also , when the redirect happens a program named with 4 random letters and a .dat extension shows up in my temp directory (jghj.dat for example). It in turn creates a .bat file also named with 4 random letters and opens a cmd.exe process that continuously calls the .bat file. I have fixed everything obvious with hijackthis and deleted the spad folder from my C: drive which stopped the home page reset, but I am still getting redirected while surfing, usually when I hit the back button. I have also run the posted registry fix and rebooted into safe mode to search for c_10230.dll and HPCMDTY.dll. My system did not find either of these dlls. I have set it to show hidden and protected files. I am including the logs form hijack this, pv and dllfix as well as the contents of the .bat file that the .dat file is calling. I would appreciate any help with this.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:15:44 AM, on 06/09/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mnmsrvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINNT\system32\HPJETDSC.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Documents and Settings\tcoltrane\Desktop\spyware\procexp.exe
    C:\DOCUME~1\TCOLTR~1\LOCALS~1\Temp\eilb.dat
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wral.com/index.html"); (C:\Documents and Settings\tcoltrane\Application Data\Mozilla\Profiles\default\keawwu16.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tcoltrane\Application Data\Mozilla\Profiles\default\keawwu16.slt\prefs.js)
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [sethook] cmd /c start /min cmd /c c:\dell\src_path.cmd
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O15 - Trusted Zone: http://cbc2-245.cbc-raleigh.com
    O15 - Trusted Zone: http://cbcnt10.cbc-raleigh.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {020f6116-407b-11d3-a3bb-00c04fa32518} - http://cbcnt10.cbc-raleigh.com/jinit11718.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.0_02) - http://webnt03.cbc-raleigh.com/Analyzer6_Server/j2re-1_3_0_02-win-i.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38079.3004282407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6FBD92F-CD22-4B6C-9DD8-531F88978E93}: Domain = fis0002.cbc-raleigh.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cbc-raleigh.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cbc-raleigh.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cbc-raleigh.com



    pv log


    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 Internet Explorer
    ntdll.dll 77f80000 499712 C:\WINNT\system32\ntdll.dll 5.00.2195.6685 NT Layer DLL
    msvcrt.dll 78000000 286720 C:\WINNT\system32\msvcrt.dll 6.10.8924.0 Microsoft (R) C Runtime Library
    KERNEL32.dll 7c570000 733184 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6794 Windows NT BASE API Client DLL
    USER32.dll 77e10000 389120 C:\WINNT\system32\USER32.dll 5.00.2195.6799 Windows 2000 USER API Client DLL
    GDI32.dll 77f40000 233472 C:\WINNT\system32\GDI32.dll 5.00.2195.6762 GDI Client DLL
    SHLWAPI.dll 70bd0000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1106 Shell Light-weight Utility Library
    ADVAPI32.dll 77db0000 372736 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.5992 Advanced Windows 32 Base API
    RPCRT4.dll 77d30000 450560 C:\WINNT\system32\RPCRT4.dll 5.00.2195.6802 Remote Procedure Call Runtime
    SHDOCVW.dll 71000000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1106 Shell Doc Object and Control Library
    comctl32.dll 71710000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library
    SHELL32.dll 782f0000 2355200 C:\WINNT\system32\SHELL32.dll 5.00.3502.4718 Windows Shell Common Dll
    ole32.dll 77a50000 966656 C:\WINNT\system32\ole32.dll 5.00.2195.6810 Microsoft OLE for Windows
    BROWSEUI.dll 71160000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1106 Shell Browser UI Library
    browselc.dll 71960000 73728 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
    CLBCATQ.DLL 775a0000 544768 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3471.1
    OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4517
    WININET.dll 70200000 610304 C:\WINNT\system32\WININET.dll 6.00.2800.1106 Internet Extensions for Win32
    CRYPT32.dll 77440000 483328 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6072 Crypto API32
    MSASN1.dll 77430000 65536 C:\WINNT\system32\MSASN1.dll 5.00.2195.6823 ASN.1 Runtime APIs
    googletoolbar1.dll 10000000 786432 c:\program files\google\googletoolbar1.dll 2, 0, 111, 0 Google IE Client Toolbar
    SETUPAPI.dll 77880000 577536 C:\WINNT\system32\SETUPAPI.dll 5.00.2195.2663 Windows Setup API
    USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
    urlmon.dll 702b0000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32
    VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2134.1 Version Checking and File Installation Libraries
    LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2134.1 LZ Expand/Compress API DLL
    WSOCK32.dll 75050000 32768 C:\WINNT\system32\WSOCK32.dll 5.00.2195.2871 Windows Socket 32-Bit DLL
    WS2_32.DLL 75030000 77824 C:\WINNT\system32\WS2_32.DLL 5.00.2195.2780 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
    WINTRUST.dll 76930000 176128 C:\WINNT\system32\WINTRUST.dll 5.131.2195.2779 Microsoft Trust Verification APIs
    IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.2778 Windows NT Image Helper
    WINMM.dll 77570000 196608 C:\WINNT\system32\WINMM.dll 5.00.2161.1 MCI API DLL
    serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
    umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
    rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.2228 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
    RASAPI32.DLL 774e0000 204800 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.4983 Remote Access API
    rasman.dll 774c0000 69632 C:\WINNT\system32\rasman.dll 5.00.2195.4983 Remote Access Connection Manager
    TAPI32.dll 77530000 139264 C:\WINNT\system32\TAPI32.dll 5.00.2182.1 Microsoft® Windows(TM) Telephony API Client DLL
    RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
    sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2163.1 SENS Connectivity API DLL
    netapi32.dll 75170000 323584 C:\WINNT\system32\netapi32.dll 5.00.2195.5979 Net Win32 API DLL
    Secur32.dll 77be0000 61440 C:\WINNT\system32\Secur32.dll 5.00.2195.2862 Security Support Provider Interface
    NETRAP.dll 751c0000 24576 C:\WINNT\system32\NETRAP.dll 5.00.2134.1 Net Remote Admin Protocol DLL
    SAMLIB.dll 75150000 65536 C:\WINNT\system32\SAMLIB.dll 5.00.2195.2780 SAM Library DLL
    WLDAP32.dll 77950000 163840 C:\WINNT\system32\WLDAP32.dll 5.00.2195.5944 Win32 LDAP API DLL
    DNSAPI.dll 77980000 147456 C:\WINNT\system32\DNSAPI.dll 5.00.2195.6012 DNS Client API DLL
    rsabase.dll 1560000 139264 C:\WINNT\system32\rsabase.dll 5.00.2195.2228 Microsoft Base Cryptographic Provider (Export Version)
    SnagItBHO.dll 15c0000 49152 C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll 1.0.1 SnagIt Browser Helper Object for Internet Explorer
    MSVCR71.dll 7c340000 352256 C:\Program Files\TechSmith\SnagIt 7\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
    AcroIEHelper.ocx 15e0000 32768 C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
    SDHelper.dll 1630000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
    olepro32.dll 695e0000 167936 C:\WINNT\system32\olepro32.dll 5.0.4517
    adobemain.dll 1c10000 196608 C:\WINNT\System32\adobemain.dll
    shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
    mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
    msafd.dll 74fd0000 126976 C:\WINNT\system32\msafd.dll 5.00.2195.2779 Microsoft Windows Sockets 2.0 Service Provider
    wshtcpip.dll 75010000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.2104 Windows Sockets Helper DLL
    rnr20.dll 785c0000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.2871 Windows Socket2 NameSpace DLL
    iphlpapi.dll 77340000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2173.2 IP Helper API
    ICMP.DLL 77520000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
    MPRAPI.DLL 77320000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
    ACTIVEDS.DLL 773b0000 188416 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.2778 ADs Router Layer DLL
    ADSLDPC.DLL 77380000 139264 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.5781 ADs LDAP Provider C DLL
    DHCPCSVC.DLL 77360000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.2778 DHCP Client Service
    winrnr.dll 777e0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
    rasadhlp.dll 777f0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
    mshtml.dll 70c50000 2805760 C:\WINNT\system32\mshtml.dll 6.00.2800.1106 Microsoft (R) HTML Viewer
    IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.2821 Windows 2000 IMM32 API Client DLL
    jscript.dll 6b700000 589824 C:\WINNT\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
    MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
    actxprxy.dll 703d0000 110592 C:\WINNT\system32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
    wdmaud.drv 77560000 36864 C:\WINNT\system32\wdmaud.drv 5.00.2195.2669 WDM Audio driver mapper
    msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
    MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
    ddrawex.dll 727f0000 36864 C:\WINNT\System32\ddrawex.dll 5.00.2134.1 Direct Draw Ex
    DDRAW.dll 51000000 278528 C:\WINNT\System32\DDRAW.dll 5.1.2600.881 built by: Lab06_N(mmbuild) Microsoft DirectDraw
    DCIMAN32.dll 728a0000 24576 C:\WINNT\System32\DCIMAN32.dll 5.00.2180.1 DCI Manager
    corpol.dll 6d380000 32768 C:\WINNT\system32\corpol.dll 1998.03.6074.0 Microsoft COM Runtime Execution Engine
    SOFTPUB.DLL 75740000 20480 C:\WINNT\system32\SOFTPUB.DLL 5.131.2134.1 Softpub Forwarder DLL
    cryptnet.dll 75a20000 57344 C:\WINNT\system32\cryptnet.dll 5.131.2157.1 Crypto Network Related API
    riched32.dll 76b20000 20480 C:\WINNT\system32\riched32.dll 5.00.2134.1 Wrapper Dll for Richedit 1.0
    RICHED20.dll 772b0000 442368 C:\WINNT\system32\RICHED20.dll 5.30.23.1205 Rich Text Edit Control, v3.0
    javacypt.dll 6d5a0000 192512 C:\WINNT\system32\javacypt.dll 5.00.3802 MS Crypt Dll for Java
    msjava.dll 6b050000 958464 C:\WINNT\system32\msjava.dll 5.00.3802 Microsoft® VM
    VMHELPER.DLL 66130000 294912 C:\WINNT\system32\VMHELPER.DLL 5.00.3802 Microsoft® VM Helper Library
    imgutil.dll 70510000 40960 C:\WINNT\system32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL
    mshtmled.dll 70f30000 450560 C:\WINNT\system32\mshtmled.dll 6.00.2800.1106 Microsoft (R) HTML Editing Component
    MPR.DLL 75090000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.2779 Multiple Provider Router DLL
    ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2157.1 Microsoft® Lan Manager
    NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2134.1 NT LM UI Common Code - GUI Classes
    NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
    iepeers.dll 70fb0000 241664 C:\WINNT\system32\iepeers.dll 6.00.2800.1106 Internet Explorer Peer Objects
    WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6032 Windows Spooler Driver
    dispex.dll 6d40000 45056 C:\WINNT\System32\dispex.dll 5.6.0.6626 Microsoft (r) DispEx
    QuickTimeWebHelper.qtx 62c80000 192512 C:\WINNT\system32\QuickTime\QuickTimeWebHelper.qtx 5.0.2 QuickTime Web Helper
    QuickTime.qts 62800000 3960832 C:\WINNT\system32\QuickTime.qts 5.0.2 QuickTime
    comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3103.1000 Common Dialogs DLL
    dsound.dll 51080000 344064 C:\WINNT\system32\dsound.dll 5.1.2600.881 built by: DShow_Build DirectSound
    QuickTimeAuthoring.qtx 62e40000 1310720 C:\WINNT\SYSTEM32\QuickTime\QuickTimeAuthoring.qtx 5.0.2 QuickTime Authoring
    QuickTimeEssentials.qtx 631c0000 471040 C:\WINNT\SYSTEM32\QuickTime\QuickTimeEssentials.qtx 5.0.2 QuickTime Essentials
    QuickTimeInternetExtras.qtx 62d70000 827392 C:\WINNT\SYSTEM32\QuickTime\QuickTimeInternetExtras.qtx 5.0.1 QuickTime Internet Extras
    QuickTimeMusic.qtx 630b0000 442368 C:\WINNT\SYSTEM32\QuickTime\QuickTimeMusic.qtx 5.0.2 QuickTime Music
    QuickTimeStreaming.qtx 62bd0000 720896 C:\WINNT\SYSTEM32\QuickTime\QuickTimeStreaming.qtx 5.0.2 QuickTime Streaming
    QuickTimeStreamingExtras.qtx 63320000 106496 C:\WINNT\SYSTEM32\QuickTime\QuickTimeStreamingExtras.qtx 5.0.1 QuickTime Streaming Extras
    QuickTimeVR.qtx 62cd0000 372736 C:\WINNT\SYSTEM32\QuickTimeVR.qtx 5.0.2 QuickTime VR
    wmploc.dll 8110000 2940928 C:\WINNT\System32\wmploc.dll 9.00.00.2980 Windows Media Player
    WMASF.DLL 6f80000 233472 C:\WINNT\system32\WMASF.DLL 9.00.00.2980 built by: lab03_dev(bld4act) Windows Media ASF DLL
    wmnetmgr.dll 72b0000 1007616 C:\WINNT\System32\wmnetmgr.dll 9.00.00.2980 Windows Media Network Plugin Manager DLL
    msv1_0.dll 782d0000 122880 C:\WINNT\system32\msv1_0.dll 5.00.2195.6006 Microsoft Authentication Package v1.0
    digest.dll 96f0000 65536 C:\WINNT\system32\digest.dll 6.00.2800.1106 Digest SSPI Authentication Package
    pstorec.dll 69000000 49152 C:\WINNT\system32\pstorec.dll 5.00.2134.1 Protected Storage COM interfaces
    ATL.DLL 773e0000 73728 C:\WINNT\system32\ATL.DLL 3.00.8449 ATL Module for Windows NT (Unicode)
    quartz.dll 35500000 1875968 C:\WINNT\System32\quartz.dll 6.03.01.0886 DirectShow Runtime.
    msdmo.dll 9c30000 24576 C:\WINNT\system32\msdmo.dll
    KsUser.dll 5ef80000 16384 C:\WINNT\system32\KsUser.dll 5.1.2258.400 built by: Lab06_N(mmbuild) User CSA Library
    MSRATING.DLL 70400000 143360 C:\WINNT\system32\MSRATING.DLL 6.00.2800.1106 Internet Ratings and Local User Management DLL
    msratelc.dll 30000000 69632 C:\WINNT\system32\msratelc.dll 6.00.2800.1106 Internet Ratings and Local User Management DLL
    ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
    plugin.ocx 6e90000 98304 C:\WINNT\system32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX


    dllfix log



    --==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Wed 06/09/2004
    11:22a

    System Info:

    Microsoft Windows 2000 [Version 5.00.2195]
    C: "" (24B3:55E1) - FS:NTFS clusters:512
    Total: 19 995 622 912 [19G] - Free: 11 688 782 848 [11G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.0.2140.1 C:\WINNT\system32\notepad.exe
    5.0.2140.1 C:\WINNT\notepad.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;



    Locked or 'Suspect' file(s) found...


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!


    Can't open Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

    2 - The system cannot find the file specified.
    



    Contents of the .bat file that the .dat file is calling

    @echo off
    :start
    echo > %1
    del %1
    if exist %1 goto start
    del %0
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    In HijackThis click Config > Misc Tools > Generate Startuplist.
    Post the text file it produces.

    Regards,

    Pieter
     
  3. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    Here is the hijack this startup list


    StartupList report, 06/10/2004, 10:15:22 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.EXE
    Detected: Windows 2000 SP2 (WinNT 5.00.2195)
    Detected: Unable to get Internet Explorer version!
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mnmsrvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINNT\system32\HPJETDSC.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\tcoltrane\Desktop\spyware\procexp.exe
    C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    sethook = cmd /c start /min cmd /c c:\dell\src_path.cmd
    TCASUTIEXE = TCAUDIAG -off
    madexe = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    Adaptec DirectCD = C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    OfficeScanNT Monitor = "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    HP JetDiscovery = HPJETDSC.EXE

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\System32\SSSTARS.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Download Program Files:

    [{020f6116-407b-11d3-a3bb-00c04fa32518}]
    InProcServer32 = C:\Program Files\Oracle\JInitiator 1.1.7.18\bin\beans.ocx
    CODEBASE = http://cbcnt10.cbc-raleigh.com/jinit11718.exe

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [MetaStreamCtl Class]
    InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
    CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\SYSTEM32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Java Plug-in 1.3.0_02]
    InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.0_02\bin\npjava130_02.dll
    CODEBASE = http://webnt03.cbc-raleigh.com/Analyzer6_Server/j2re-1_3_0_02-win-i.exe

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38079.3004282407

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\WINNT\system32\spool\DRIVERS\W32X86\2\New\EF3X2026.PDD|C:\WINNT\system32\spool\DRIVERS\W32X86\2\EF3X2026.PDD|||

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    SysTray: stobject.dll
    WebCheck: C:\WINNT\system32\webcheck.dll

    --------------------------------------------------
    End of report, 6,686 bytes
    Report generated in 0.170 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    I checked the "List also minor sections" and "List empty sections" and ran it again. Thanks for looking at this. It really has me stumped.


    StartupList report, 06/10/2004, 10:19:17 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.EXE
    Detected: Windows 2000 SP2 (WinNT 5.00.2195)
    Detected: Unable to get Internet Explorer version!
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mnmsrvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\WINNT\system32\HPJETDSC.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\tcoltrane\Desktop\spyware\procexp.exe
    C:\Documents and Settings\tcoltrane\Desktop\spyware\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\tcoltrane\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    sethook = cmd /c start /min cmd /c c:\dell\src_path.cmd
    TCASUTIEXE = TCAUDIAG -off
    madexe = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    Adaptec DirectCD = C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    OfficeScanNT Monitor = "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    HP JetDiscovery = HPJETDSC.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINNT\system32\mshta.exe "%1" %*

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
    StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINNT\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry key not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry key not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry key not found*

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINNT\System32\SSSTARS.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present
    C:\WINNT\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINNT
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [DirectAnimation Java Classes]
    CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
    OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

    [Microsoft XML Parser for Java]
    CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
    OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

    [{020f6116-407b-11d3-a3bb-00c04fa32518}]
    InProcServer32 = C:\Program Files\Oracle\JInitiator 1.1.7.18\bin\beans.ocx
    CODEBASE = http://cbcnt10.cbc-raleigh.com/jinit11718.exe

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [MetaStreamCtl Class]
    InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
    CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\SYSTEM32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Java Plug-in 1.3.0_02]
    InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.0_02\bin\npjava130_02.dll
    CODEBASE = http://webnt03.cbc-raleigh.com/Analyzer6_Server/j2re-1_3_0_02-win-i.exe

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38079.3004282407

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINNT\System32\rnr20.dll
    NameSpace #2: C:\WINNT\System32\winrnr.dll
    NameSpace #3: C:\WINNT\System32\nwprovau.dll
    Protocol #1: C:\WINNT\system32\msafd.dll
    Protocol #2: C:\WINNT\system32\msafd.dll
    Protocol #3: C:\WINNT\system32\msafd.dll
    Protocol #4: C:\WINNT\system32\rsvpsp.dll
    Protocol #5: C:\WINNT\system32\rsvpsp.dll
    Protocol #6: C:\WINNT\system32\msafd.dll
    Protocol #7: C:\WINNT\system32\msafd.dll
    Protocol #8: C:\WINNT\system32\msafd.dll
    Protocol #9: C:\WINNT\system32\msafd.dll
    Protocol #10: C:\WINNT\system32\msafd.dll
    Protocol #11: C:\WINNT\system32\msafd.dll
    Protocol #12: C:\WINNT\system32\msafd.dll
    Protocol #13: C:\WINNT\system32\msafd.dll
    Protocol #14: C:\WINNT\system32\msafd.dll
    Protocol #15: C:\WINNT\system32\msafd.dll
    Protocol #16: C:\WINNT\system32\msafd.dll
    Protocol #17: C:\WINNT\system32\msafd.dll
    Protocol #18: C:\WINNT\system32\msafd.dll
    Protocol #19: C:\WINNT\system32\msafd.dll
    Protocol #20: C:\WINNT\system32\msafd.dll
    Protocol #21: C:\WINNT\system32\msafd.dll
    Protocol #22: C:\WINNT\system32\msafd.dll

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    aaatimeo: System32\DRIVERS\aaatimeo.sys (system)
    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    adpu160m: System32\DRIVERS\adpu160m.sys (system)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
    aic78u2: System32\DRIVERS\aic78u2.sys (system)
    aic78xx: System32\DRIVERS\aic78xx.sys (system)
    Alerter: %SystemRoot%\System32\services.exe (manual start)
    Application Management: %SystemRoot%\system32\services.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k BITSgroup (manual start)
    Computer Browser: %SystemRoot%\System32\services.exe (autostart)
    Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
    cda1000: System32\DRIVERS\cda1000.sys (system)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
    cmosa: System32\DRIVERS\cmosa.sys (system)
    Crystal SoundFusion(tm) Driver: system32\drivers\cwcspud.sys (manual start)
    DHCP Client: %SystemRoot%\System32\services.exe (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
    dmload: System32\drivers\dmload.sys (system)
    Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
    Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\services.exe (autostart)
    3Com EtherLink XL B/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
    3Com 3C90X-BC Family PCI EtherLink Adapter: System32\DRIVERS\el90Xbc5.SYS (manual start)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
    Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
    Fd16_700: System32\DRIVERS\fd16_700.sys (system)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    FormScape2 Server: "C:\Program Files\FormScape2\Programs\fs2serv.exe" (autostart)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Santa Cruz Game Port: System32\DRIVERS\gameenum.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    Service for AC'97 Driver (WDM): system32\drivers\ichaud.sys (manual start)
    idebd: System32\DRIVERS\idebd.sys (system)
    intelata: System32\DRIVERS\intelata.sys (system)
    IntelIde: System32\DRIVERS\intelide.sys (system)
    Microsoft IntelliPoint Features driver: System32\DRIVERS\IPFilter.sys (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\services.exe (autostart)
    Workstation: %SystemRoot%\System32\services.exe (autostart)
    TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
    Messenger: %SystemRoot%\System32\services.exe (autostart)
    NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (autostart)
    Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
    BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start)
    mraid35x: System32\DRIVERS\mraid35x.sys (system)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
    Sidewinder HID to Joystick Port Enabler: System32\DRIVERS\msgame.sys (manual start)
    Multimedia Keyboard Filter Driver: System32\DRIVERS\msikbd2k.sys (system)
    Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
    MTsensor: System32\DRIVERS\MTsensor.sys (manual start)
    NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
    NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
    Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Netropa NHK Server: C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (autostart)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    OfficeScanNT RealTime Scan: C:\OfficeScan NT\ntrtscan.exe (autostart)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    nv4: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)
    NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)
    NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)
    Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (system)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: System32\DRIVERS\pciide.sys (disabled)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Protected Storage: %SystemRoot%\system32\services.exe (autostart)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
    RunAs Service: %SystemRoot%\system32\services.exe (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
    Sparrow: System32\DRIVERS\sparrow.sys (system)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Santa Cruz Driver: system32\drivers\tbcspud.sys (manual start)
    Santa Cruz WDM Driver: system32\drivers\tbcwdm.sys (manual start)
    tcaicchg: \??\C:\WINNT\System32\tcaicchg.sys (autostart)
    TCAITDI Protocol: System32\DRIVERS\TCAITDI.sys (autostart)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
    Trend Micro Filter: \??\C:\OfficeScan NT\TmFilter.sys (autostart)
    OfficeScanNT Listener: C:\OfficeScan NT\tmlisten.exe (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
    Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
    Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
    VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
    Trend Micro VSAPI NT: \??\C:\OfficeScan NT\VSApiNt.sys (autostart)
    vsdatant: System32\vsdatant.sys (system)
    TrueVector Internet Monitor: C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe -service (manual start)
    Windows Time: %SystemRoot%\System32\services.exe (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (manual start)
    WMDM PMSP Service: C:\WINNT\System32\mspmspsv.exe (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
    World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
    Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\WINNT\system32\spool\DRIVERS\W32X86\2\New\EF3X2026.PDD|C:\WINNT\system32\spool\DRIVERS\W32X86\2\EF3X2026.PDD|||

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    SysTray: stobject.dll
    WebCheck: C:\WINNT\system32\webcheck.dll

    --------------------------------------------------
    End of report, 29,933 bytes
    Report generated in 0.200 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    My eyes are getting blurry and I still can't see it.

    Can you send me a copy of such a .dat file?
    pieterATwilderssecurity.org (replace AT with @)

    Regards,

    Pieter
     
  6. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    Pieter, Did you get the .dat files I sent? I haven't gotten any further with it on my end. So far I have found 3 different types of .dat files that are showing up in my temp directory. One redirects the browser to myexexex.com, one opens a new browser window which goes to casinopallazo.com and puts shortcuts to that site in my favorites and on my desktop and the third one creates a file named winwildapp.exe in my temp directory, but doesn't appear to do anything else. The antivirus software I have on this computer identifies the .dat file that does the casino pallazo stuff as TROJ_DIALER.BH and deletes it. It is still only happening twice a day when I first open the browser, usually after a few clicks. Any help would be greatly appreciated. I have run out of things to try.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I did have a loook at the .dat files and sent them on for analysis.
    I have not heard anything back. I'll politely send a little reminder.
    What I thought was: they looked like dll files to me, so maybe part of the process is they get renamed to dll?

    Have a look here and try if the Rootkitdetector finds something: http://bagpuss.swan.ac.uk/comms/hxdef.htm

    Regards,

    Pieter
     
  8. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    Pieter,

    RootKitDetector didn't find anything, but I have made progress. In reading through the threads about casino pallazo, someone (it might have been you) suggested looking for a file named jsconsole.dll. When I looked I found that file in my c:\windows\system32 and c:\windows folders. I deleted them (I saved a copy just in case) and have not had a problem since - no redirects or .dat files showing up in my temp folder. While thinking about it a few minutes ago it occured to me that something had to be calling that dll. In a different thread you suggested using a Registry Search Tool from http://www.billsway.com/vbspage/ . I downloaded that and ran it for jsconsole.dll. It found 2 registry entries. I'm posting the log below. I'd like to make sure I have completely removed this problem. Do you have any suggestions for other places I should look and would it be wise to delete these registry settings?

    REGEDIT4
    ; REGSRCH.VBS © Bill James

    ; Registry search results for string "jsconsole.dll" 06/16/2004 3:29:20 PM

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA44CF4B-85C0-4B3F-BD0D-ECE5A069B9E0}\InprocServer32]
    @="C:\\WINNT\\system32\\jsconsole.dll"

    [HKEY_USERS\S-1-5-21-1287937275-1086259303-1848903544-2085\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU]
    "000"="jsconsole.dll"
     
  9. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    Pieter,

    I see that the latest version of CWShredder includes a fix for the jsconsole variant. I've yet to see the problem appear on my machine again so I feel confident that it is fixed. Thank you so much for your help with this. I couldn't have fixed it without this forum. I saved a copy of the jsconsole.dll in case anyone wants it for analysis.

    Thanks again.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi tcoltrane,

    I did receive a copy of jsconsole.dll yesterday and registered it on my testcomputer. But nothing happened. I have the feeling there is still one piece of the puzzle missing.

    Did you check if there were any other files created around the same time on your computer?

    The first registry entry can be deleted, the second one only indicates that you did a find files for that file on your computer.

    Regards,

    Pieter
     
  11. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    Pieter,

    I can't tell about the time created, but their are several files on my system with an identical time modified.

    kernel32.dll C:\WINNT\Driver Cache\I386
    winsrv.dll C:\WINNT\Driver Cache\I386
    asclictrls.ocx C:\WINNT\SYSTEM32
    BASESRV.DLL C:\WINNT\SYSTEM32
    GDI32.DLL C:\WINNT\SYSTEM32
    KERNEL32.DLL C:\WINNT\SYSTEM32
    MSGINA.DLL C:\WINNT\SYSTEM32
    swix.ocx C:\WINNT\SYSTEM32
    USER32.DLL C:\WINNT\SYSTEM32
    USERENV.DLL C:\WINNT\SYSTEM32
    WIN32K.SYS C:\WINNT\SYSTEM32
    WINSRV.DLL C:\WINNT\SYSTEM32
    WWWBar.dll C:\WINNT\SYSTEM32
    BASESRV.DLL C:\WINNT\SYSTEM32\dllcache
    GDI32.DLL C:\WINNT\SYSTEM32\dllcache
    kernel32.dll C:\WINNT\SYSTEM32\dllcache
    MSGINA.DLL C:\WINNT\SYSTEM32\dllcache
    USER32.DLL C:\WINNT\SYSTEM32\dllcache
    USERENV.DLL C:\WINNT\SYSTEM32\dllcache
    winsrv.dll C:\WINNT\SYSTEM32\dllcache

    I would be happy to send you any or all of these.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi tcoltrane,

    Could you send me these files:
    asclictrls.ocx
    swix.ocx
    WWWBar.dll

    Preferably zipped up to pieterATwilderssecurity.org (replace AT with @)

    Regards,

    Pieter
     
  13. tcoltrane

    tcoltrane Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    8
    The files have been sent. Let me know if you need anything else.

    Thanks for all your help on this.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    I must have an eye for it. :)

    All three files are upx packed and protected against unpacking.
    I will have to send them on to some specialists.
    But I will let you know.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.