Something is hidden, spyware can't find

Hi Learned Ones,
Recently, I was helped to rid my computer of a suspected virus, and have subsequently installed, Hijack This, Ad-Aware, CW Shredder, Spyware Blaster, Spyware Guard and spybot.
However, when looking at the little green screen icons ( sorry I don't know their correct description ), which shows when info is being transmitted or received online, every 10 seconds or so, there is a transfer of bytes, both received and transmitted. This is even with both Internet explorer and Outlook Express closed.
I have to feel there is something going on which I'm not aware of.
This is a copy of the Hijack This log file.
Logfile of HijackThis v1.97.7
Scan saved at 9:41:29 PM, on 26/11/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SBPCI\CTMIX32.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\VET\VETTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.austarmetro.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
When I run the the Hijack This program, it doesn't show the KERNEL program as being on its list. Am I correct in thinking that this ( KERNEL ) is a bad program/virus/whatever ? Or of course, anything else you can see which might be fouling up the works.
Thanks, I really would like to nip this thing in the bud.
Regards
jackafrica

 

Hi jackafrica,

You can upload the kernel32.exe at http://www.kaspersky.com/remoteviruschk.html and see what it has to say.
Another thing you can do is download and install a trial of:
http://www.diamondcs.com.au/portexplorer/
This will help you see what is generating the traffic and where it is going to/coming from.

Regards,

Pieter

 

Hi Pieter,
I'm downloading the suggestions now, will get back to you to advise on what I find. Thanks for the prompt reply.
regards
jackafrica

 

Hi Pieter,

Hope you can help me out here, this all seems insidious stuff to me, as a novice and a practising computer dummy.
The port explorer is installed, I have the address of the " listener " it is address 203.166.224
What can I now do to find the appropriate file/program to delete and block this address please ?
---------------------------------------------------------------------------------------------------------------------------------------------------------
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
---------------------------------------------------------------------------------------------------------------------------------------------------------
| iexplore.exe | 23:09 26/11/2003 | -4114045 | UDP | 127.0.0.1 | 1047 | 127.0.0.1 | 1047 | LISTENING | 210/210 | 210/210 |
| SYSTEM | --- | 0 | TCP | 203.220.117.xxx | 138 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 203.220.117.xxx | 137 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 203.220.117.xxx | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 0 | UDP | 203.220.117.xxx | 137 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 0 | UDP | 203.220.117.xxx | 138 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1047 | 0.0.0.0 | 0 | LISTENING | --- | --- |
---------------------------------------------------------------------------------------------------------------------------------------------------------
I hope you can understand what I've cut and pasted. Thanks, I look forward to your reply
Regards
jackafrica

Edited out last part of the IP

 

Hi jackafrica,

Can you give the command ipconfig in your Command prompt.
I have a feeling that the IP address in your previous post is your own.
In that case I would edit it out.

Regards,

Pieter

 

Hi Pieter,
I'm sorry, I don't understand what you mean. There is definitely something there which is highlighted in red. Should I buy the program, then ask the program owners how to go about getting rid of the spy ? My apologies for not being very clever at this computer caper. I really need to be walked through, if that is possible.
Thanks and Regards
jackafrica

 

Hi jackafrica,

My fault. I never used Windows 98 myself.
The program you need is called DOS-prompt. You should be able to start it from Start > Programs > MS-DOS Prompt.
You will get a DOS windows.
Type winipcfg and then hit ENTER.
You should get a list of your current IP adress(es)
Check if the one starting with 203.220.117. is one of them.

Regards,

Pieter

 

Hi Pieter,
Yes, it says that is my ip address with another 3 digits after those numbers.
However, I ran the program called " who is " within the Port Explorer, on the set of info below thefirst line and it came up with this
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

%WARNING:905: fixed lookup key
%
% The key "203.166.224" has been changed to "203.166.224.0" for lookup.

inetnum: 203.166.224.0 - 203.166.255.255
netname: GLOBALCENTER-AU
descr: RBRT Pty Ltd
descr: South Melbourne
country: AU
admin-c: MV9-AP
tech-c: MV9-AP
mnt-by: APNIC-HM
mnt-lower: ADMIN-MELB-GC
changed: hm-changed@apnic.net 19980924
changed: hm-changed@apnic.net 20021118
status: ALLOCATED PORTABLE
source: APNIC

person: Marc Van Hoof
address: Level 2
address: 450 St Kilda Road
address: Melbourne VIC 3004
country: AU
phone: +61-3-9862-7888
fax-no: +61-3-9862-7889
e-mail: mvh@marcvanhoof.com
nic-hdl: MV9-AP
mnt-by: NET-MELB-GC
changed: mvh@marcvanhoof.com 20020510
source: APNIC

So who are these people
I tend to think they may be the " spys " can you enlighten me further. This is the identification, taken from the bottom row of the display. I await your learned reply. Thanks
Regards
jackafrica

 

Hi jackafrica,

Now I'm confused. You said your IP was in the 203.220.117 range and then show me a whois for 203.166.224.0 - 203.166.255.255

I think I am missing something here.

Regards,

Pieter

 

Hi Pieter,
The second file is sent is not me, but whoever it is that is looking at me. My number is definitely 203.220.117.xxx
So how do I get onto this other shadowy figure and ask them politely to leave me alone, or better still, delete whatever program they have installed in the background on my sysyem to prevent them looking at me.
Thanks and Regards
jackafrica
PS. my apologies for not being clued up on proceedings, or how to read the info correctly. I really would like ot rid my system of whatever it is that has been installed. It is just that I can't seem to find it.

Edited out last part of the IP

 

Hi jackafrica,

One last question. I think I will move this thread to the firewalls forum after that. I think you will be helped better there.
Did you upload that kernel32.dll at the Kaspersky site and what were the results?

Regards,

Pieter

 

Hi Pieter,
I was unable to locate the file in my computer to be able to have it checked. I've been on the site for an hour or so checking various other files in C drive, just in case I could locate the kernel file. In a " find " folders/files search I was also unable to locate it. Perhaps you can advise me on how to find it correctly. Thanks
jackafrica

 

Hi jackafrica,

The file may be hidden.
To "unhide" hidden files and folders:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

Regards,

Pieter

 

Hi Pieter,
Thanks for the walk through on that process. however, it didn't come up with the KERNEL file or folder anywhere that I could see. Should there be a folder or file in particular that I should look into to see if it is there, in order to upload it to the site ??
Thanks and ?Regards
jackafrica
( you must be figuring I'm a chimp ( or is that chump ) by this stage

 

No problem.
We all had to learn this at some point.

C:\WINDOWS\SYSTEM\KERNEL32.DLL is the full path.
So when you open explorer, open C:, open the Windows folder,
open the System folder and then scroll down to the files and find Kernel32.dll

Regards,

Pieter

 

Hi Pieter,
Have searched as suggested. There is no file in the system of the KERNEL type. Very Strange. Yet, the Hijack This says it is a process which is running. maybe it is secreted somewhere else. I tried the " find files or folders " as well, just to see if it could be located - no joy.
I'll await a reply. This is a tricky one eh !
Thanks and Regards
jackafrica

 

Hi JackAfrica

Can you show us the portion of the PortEcplorer log that shows activity to or from the 203.166.224.x address(es)?

Also, Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

Thanks

 

Hi Dan,
Thanks for your help mate, much appreciated. Here are the details from the program you suggested. All three boxes are ticked.
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for user@USER, 11-27-2003
c:\autoexec.bat
SET SBPCI=C:\SBPCI
PATH C:\WINDOWS;C:\WINDOWS\COMMAND;
c:\config.sys
C:\WINDOWS\HIMEM.SYS
C:\WINDOWS\EMM386.EXE
C:\WINDOWS\dosstart.bat
c:\windows\command\ctload.com C:\CDROM\BTCCDROM.SYS /D:BTCCD001 /V
c:\WINDOWS\COMMAND\MSCDEX.EXE /D:BTCCD001 /V /M:20
c:\windows\command\mouse.exe
C:\SBPCI\SBINIT
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
HKCR\htafile\shell\open\command\
C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
C:\WINDOWS\scanregw.exe /autorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor
C:\WINDOWS\taskmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
C:\WINDOWS\system\SysTray.Exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bpcpost.exe
C:\WINDOWS\SYSTEM\bpcpost.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CreativeMixer
C:\SBPCI\ctmix32.exe /T
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Vet Alert
C:\WINDOWS\System\VetMsg9x.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VetTray
C:\VET\VETTRAY.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\TrueVector
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\SYSTEM\WEBCHECK.DLL
C:\WINDOWS\Tasks\ScanDisk.job
C:\WINDOWS\SCANDSKW.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Background Monitor.lnk
C:\ESM2\Stms.exe
C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check 2.lnk
C:\WINDOWS\SYSTEM\E_SRCV02.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system\iosubsys\
C:\WINDOWS\system\iosubsys\ESDI_506.PDR
C:\WINDOWS\system\iosubsys\HSFLOP.PDR
C:\WINDOWS\system\iosubsys\RMM.PDR
C:\WINDOWS\system\iosubsys\SCSIPORT.PDR
C:\WINDOWS\system\iosubsys\APIX.VXD
C:\WINDOWS\system\iosubsys\ATAPCHNG.VXD
C:\WINDOWS\system\iosubsys\CDFS.VXD
C:\WINDOWS\system\iosubsys\CDTSD.VXD
C:\WINDOWS\system\iosubsys\CDVSD.VXD
C:\WINDOWS\system\iosubsys\DISKTSD.VXD
C:\WINDOWS\system\iosubsys\DISKVSD.VXD
C:\WINDOWS\system\iosubsys\NECATAPI.VXD
C:\WINDOWS\system\iosubsys\SCSI1HLP.VXD
C:\WINDOWS\system\iosubsys\TORISAN3.VXD
C:\WINDOWS\system\iosubsys\VOLTRACK.VXD
C:\WINDOWS\system\iosubsys\IOMEGA.VXD
C:\WINDOWS\system\iosubsys\ENSQIO.VXD
C:\WINDOWS\system\iosubsys\BIGMEM.DRV
C:\WINDOWS\system\iosubsys\VetFDD9x.VxD
C:\WINDOWS\system32\vmm32\
C:\WINDOWS\system\vmm32\ifsmgr.vxd
C:\WINDOWS\system\vmm32\ios.vxd
C:\WINDOWS\system\vmm32\qemmfix.vxd
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\SYSTEM\DCSWS2.DLL
C:\WINDOWS\SYSTEM\mswsosp.dll
C:\WINDOWS\SYSTEM\msafd.dll
C:\WINDOWS\SYSTEM\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\SetupcPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\AppletsPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\FontsPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}\
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ICW_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}\
rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
HKLM\Software\Microsoft\Active Setup\Installed Components\>PerUser_MSN_Clean\
C:\WINDOWS\msnmgsr1.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo2\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMmsysPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownAvivideoPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMPlayPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Base\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\ShellPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Shell2PerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winbase_Links\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winapps_Links\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_LinkBar_URLs\
C:\WINDOWS\COMMAND\sulfnbk.exe /L
HKLM\Software\Microsoft\Active Setup\Installed Components\TapiPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUserOldLinks\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptRegisterPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsMsnPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Paint_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis_remove 64 C:\WINDOWS\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Calc_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis_remove 64 C:\WINDOWS\INF\applets.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CVT_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 C:\WINDOWS\INF\applets1.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\MotownRecPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Vol\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSWordPad_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_RNA_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Dialer_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CDPlayer_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAolPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAttPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsCompuservePerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\OlsProdigyPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Wingames_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Theme_Windows_PerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 C:\WINDOWS\INF\themes.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\Theme_MoreWindows_PerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\EpgPerUser\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection EpgPerUser 64 C:\WINDOWS\INF\epg.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmon_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmeter_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_DCC_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 C:\WINDOWS\INF\rna.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Winpopup_Inis\
rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Winpopup_Inis_remove 64 C:\WINDOWS\INF\winpopup.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Remove.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
C:\WINDOWS\system\vnetsup.vxd
HKLM\System\CurrentControlSet\Services\VxD\NDIS\
ndis.vxd,ndis2sup.vxd
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\VxD\VRTWD\
C:\WINDOWS\SYSTEM\vrtwd.386
HKLM\System\CurrentControlSet\Services\VxD\VFIXD\
C:\WINDOWS\SYSTEM\vfixd.vxd
HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
C:\WINDOWS\system\vnetbios.vxd
HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
C:\WINDOWS\system\vredir.vxd
HKLM\System\CurrentControlSet\Services\VxD\DFS\
C:\WINDOWS\system\dfs.vxd
HKLM\System\CurrentControlSet\Services\VxD\TURBOVBF\
C:\WINDOWS\system\TURBOVBF.VXD
HKLM\System\CurrentControlSet\Services\VxD\SCANDRV\
C:\PROGRA~1\SCANDRV\SCANDRV.386
HKLM\System\CurrentControlSet\Services\VxD\GCKERNEL\
C:\WINDOWS\system\gckernel.vxd
HKLM\System\CurrentControlSet\Services\VxD\MSGAMIO\
C:\WINDOWS\system\msgamio.vxd
HKLM\System\CurrentControlSet\Services\VxD\VETMON9X\
C:\VET\VETMON9X.VXD
HKLM\System\CurrentControlSet\Services\VxD\VSDATA95\
C:\WINDOWS\system\vsdata95.vxd
Thanks again, I'll await your reply. I hope you can find something. My apologies for being such a computer dummy, but hey, I'm on a giddy learning curve here !!
Tanks and Regards
jackafrica

 

Don't worry about the learning curve, I've been known to drive off a few curves myself!

Well, I don't see anything wrong in the log output. The kernel32.dll is a system file. It may be that you are unable to find it because of folder view restrictions. You might want to goto c:\windows\system32 in Explorer and go into the folder options and make sure you have none of the view restrictions enabled (you should set it to see all files and to show all extensions). I forget exactly how to get to this options tab in 98 but once you are in the folder in Explorer just look for View or folder options or something like that in the Menu.

The Port Explorer output for those remote IPs you mentioned would help quite a bit in tracing any problem.