Something is hidden, spyware can't find

Discussion in 'adware, spyware & hijack cleaning' started by jackafrica, Nov 26, 2003.

Thread Status:
Not open for further replies.
  1. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Learned Ones,
    Recently, I was helped to rid my computer of a suspected virus, and have subsequently installed, Hijack This, Ad-Aware, CW Shredder, Spyware Blaster, Spyware Guard and spybot.
    However, when looking at the little green screen icons ( sorry I don't know their correct description ), which shows when info is being transmitted or received online, every 10 seconds or so, there is a transfer of bytes, both received and transmitted. This is even with both Internet explorer and Outlook Express closed.
    I have to feel there is something going on which I'm not aware of.
    This is a copy of the Hijack This log file.
    Logfile of HijackThis v1.97.7
    Scan saved at 9:41:29 PM, on 26/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\SBPCI\CTMIX32.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\VET\VETTRAY.EXE
    C:\WINDOWS\SYSTEM\E_S10IC2.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.austarmetro.com.au/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CreativeMixer] C:\SBPCI\ctmix32.exe /T
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    When I run the the Hijack This program, it doesn't show the KERNEL program as being on its list. Am I correct in thinking that this ( KERNEL ) is a bad program/virus/whatever ? Or of course, anything else you can see which might be fouling up the works.
    Thanks, I really would like to nip this thing in the bud.
    Regards
    jackafrica
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jackafrica,

    You can upload the kernel32.exe at http://www.kaspersky.com/remoteviruschk.html and see what it has to say.
    Another thing you can do is download and install a trial of:
    http://www.diamondcs.com.au/portexplorer/
    This will help you see what is generating the traffic and where it is going to/coming from.

    Regards,

    Pieter
     
  3. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    I'm downloading the suggestions now, will get back to you to advise on what I find. Thanks for the prompt reply.
    regards
    jackafrica
     
  4. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,

    Hope you can help me out here, this all seems insidious stuff to me, as a novice and a practising computer dummy.
    The port explorer is installed, I have the address of the " listener " it is address 203.166.224
    What can I now do to find the appropriate file/program to delete and block this address please ?
    ---------------------------------------------------------------------------------------------------------------------------------------------------------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    ---------------------------------------------------------------------------------------------------------------------------------------------------------
    | iexplore.exe | 23:09 26/11/2003 | -4114045 | UDP | 127.0.0.1 | 1047 | 127.0.0.1 | 1047 | LISTENING | 210/210 | 210/210 |
    | SYSTEM | --- | 0 | TCP | 203.220.117.xxx | 138 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 203.220.117.xxx | 137 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 203.220.117.xxx | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | UDP | 203.220.117.xxx | 137 | *.*.*.* | * | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | UDP | 203.220.117.xxx | 138 | *.*.*.* | * | LISTENING | --- | --- |
    | SYSTEM | --- | 0 | TCP | 127.0.0.1 | 1047 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    ---------------------------------------------------------------------------------------------------------------------------------------------------------
    I hope you can understand what I've cut and pasted. Thanks, I look forward to your reply
    Regards
    jackafrica

    Edited out last part of the IP
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jackafrica,

    Can you give the command ipconfig in your Command prompt.
    I have a feeling that the IP address in your previous post is your own.
    In that case I would edit it out.

    Regards,

    Pieter
     
  6. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    I'm sorry, I don't understand what you mean. There is definitely something there which is highlighted in red. Should I buy the program, then ask the program owners how to go about getting rid of the spy ? My apologies for not being very clever at this computer caper. I really need to be walked through, if that is possible.
    Thanks and Regards
    jackafrica
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jackafrica,

    My fault. I never used Windows 98 myself.
    The program you need is called DOS-prompt. You should be able to start it from Start > Programs > MS-DOS Prompt.
    You will get a DOS windows.
    Type winipcfg and then hit ENTER.
    You should get a list of your current IP adress(es)
    Check if the one starting with 203.220.117. is one of them.

    Regards,

    Pieter
     
  8. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    Yes, it says that is my ip address with another 3 digits after those numbers.
    However, I ran the program called " who is " within the Port Explorer, on the set of info below thefirst line and it came up with this
    % [whois.apnic.net node-1]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    %WARNING:905: fixed lookup key
    %
    % The key "203.166.224" has been changed to "203.166.224.0" for lookup.

    inetnum: 203.166.224.0 - 203.166.255.255
    netname: GLOBALCENTER-AU
    descr: RBRT Pty Ltd
    descr: South Melbourne
    country: AU
    admin-c: MV9-AP
    tech-c: MV9-AP
    mnt-by: APNIC-HM
    mnt-lower: ADMIN-MELB-GC
    changed: hm-changed@apnic.net 19980924
    changed: hm-changed@apnic.net 20021118
    status: ALLOCATED PORTABLE
    source: APNIC

    person: Marc Van Hoof
    address: Level 2
    address: 450 St Kilda Road
    address: Melbourne VIC 3004
    country: AU
    phone: +61-3-9862-7888
    fax-no: +61-3-9862-7889
    e-mail: mvh@marcvanhoof.com
    nic-hdl: MV9-AP
    mnt-by: NET-MELB-GC
    changed: mvh@marcvanhoof.com 20020510
    source: APNIC

    So who are these people o_O
    I tend to think they may be the " spys " can you enlighten me further. This is the identification, taken from the bottom row of the display. I await your learned reply. Thanks
    Regards
    jackafrica
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jackafrica,

    Now I'm confused. You said your IP was in the 203.220.117 range and then show me a whois for 203.166.224.0 - 203.166.255.255

    I think I am missing something here.

    Regards,

    Pieter
     
  10. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    The second file is sent is not me, but whoever it is that is looking at me. My number is definitely 203.220.117.xxx
    So how do I get onto this other shadowy figure and ask them politely to leave me alone, or better still, delete whatever program they have installed in the background on my sysyem to prevent them looking at me.
    Thanks and Regards
    jackafrica
    PS. my apologies for not being clued up on proceedings, or how to read the info correctly. I really would like ot rid my system of whatever it is that has been installed. It is just that I can't seem to find it.

    Edited out last part of the IP
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jackafrica,

    One last question. I think I will move this thread to the firewalls forum after that. I think you will be helped better there.
    Did you upload that kernel32.dll at the Kaspersky site and what were the results?

    Regards,

    Pieter
     
  12. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    I was unable to locate the file in my computer to be able to have it checked. I've been on the site for an hour or so checking various other files in C drive, just in case I could locate the kernel file. In a " find " folders/files search I was also unable to locate it. Perhaps you can advise me on how to find it correctly. Thanks
    jackafrica
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi jackafrica,

    The file may be hidden.
    To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Regards,

    Pieter
     
  14. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    Thanks for the walk through on that process. however, it didn't come up with the KERNEL file or folder anywhere that I could see. Should there be a folder or file in particular that I should look into to see if it is there, in order to upload it to the site ??
    Thanks and ?Regards
    jackafrica
    ( you must be figuring I'm a chimp ( or is that chump ) by this stage ;)
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No problem.
    We all had to learn this at some point. :)

    C:\WINDOWS\SYSTEM\KERNEL32.DLL is the full path.
    So when you open explorer, open C:, open the Windows folder,
    open the System folder and then scroll down to the files and find Kernel32.dll

    Regards,

    Pieter
     
  16. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Pieter,
    Have searched as suggested. There is no file in the system of the KERNEL type. Very Strange. Yet, the Hijack This says it is a process which is running. maybe it is secreted somewhere else. I tried the " find files or folders " as well, just to see if it could be located - no joy. :mad:
    I'll await a reply. This is a tricky one eh !
    Thanks and Regards
    jackafrica
     
  17. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi JackAfrica

    Can you show us the portion of the PortEcplorer log that shows activity to or from the 203.166.224.x address(es)?

    Also, Can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Thanks
     
  18. jackafrica

    jackafrica Registered Member

    Joined:
    Nov 22, 2003
    Posts:
    12
    Hi Dan,
    Thanks for your help mate, much appreciated. Here are the details from the program you suggested. All three boxes are ticked.
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for user@USER, 11-27-2003
    c:\autoexec.bat
    SET SBPCI=C:\SBPCI
    PATH C:\WINDOWS;C:\WINDOWS\COMMAND;
    c:\config.sys
    C:\WINDOWS\HIMEM.SYS
    C:\WINDOWS\EMM386.EXE
    C:\WINDOWS\dosstart.bat
    c:\windows\command\ctload.com C:\CDROM\BTCCDROM.SYS /D:BTCCD001 /V
    c:\WINDOWS\COMMAND\MSCDEX.EXE /D:BTCCD001 /V /M:20
    c:\windows\command\mouse.exe
    C:\SBPCI\SBINIT
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKCR\htafile\shell\open\command\
    C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
    C:\WINDOWS\scanregw.exe /autorun
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor
    C:\WINDOWS\taskmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
    C:\WINDOWS\system\SysTray.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bpcpost.exe
    C:\WINDOWS\SYSTEM\bpcpost.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadPowerProfile
    Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CreativeMixer
    C:\SBPCI\ctmix32.exe /T
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Vet Alert
    C:\WINDOWS\System\VetMsg9x.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VetTray
    C:\VET\VETTRAY.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
    Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\TrueVector
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    C:\WINDOWS\Tasks\ScanDisk.job
    C:\WINDOWS\SCANDSKW.EXE
    C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Background Monitor.lnk
    C:\ESM2\Stms.exe
    C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check 2.lnk
    C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\system\iosubsys\
    C:\WINDOWS\system\iosubsys\ESDI_506.PDR
    C:\WINDOWS\system\iosubsys\HSFLOP.PDR
    C:\WINDOWS\system\iosubsys\RMM.PDR
    C:\WINDOWS\system\iosubsys\SCSIPORT.PDR
    C:\WINDOWS\system\iosubsys\APIX.VXD
    C:\WINDOWS\system\iosubsys\ATAPCHNG.VXD
    C:\WINDOWS\system\iosubsys\CDFS.VXD
    C:\WINDOWS\system\iosubsys\CDTSD.VXD
    C:\WINDOWS\system\iosubsys\CDVSD.VXD
    C:\WINDOWS\system\iosubsys\DISKTSD.VXD
    C:\WINDOWS\system\iosubsys\DISKVSD.VXD
    C:\WINDOWS\system\iosubsys\NECATAPI.VXD
    C:\WINDOWS\system\iosubsys\SCSI1HLP.VXD
    C:\WINDOWS\system\iosubsys\TORISAN3.VXD
    C:\WINDOWS\system\iosubsys\VOLTRACK.VXD
    C:\WINDOWS\system\iosubsys\IOMEGA.VXD
    C:\WINDOWS\system\iosubsys\ENSQIO.VXD
    C:\WINDOWS\system\iosubsys\BIGMEM.DRV
    C:\WINDOWS\system\iosubsys\VetFDD9x.VxD
    C:\WINDOWS\system32\vmm32\
    C:\WINDOWS\system\vmm32\ifsmgr.vxd
    C:\WINDOWS\system\vmm32\ios.vxd
    C:\WINDOWS\system\vmm32\qemmfix.vxd
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\SYSTEM\DCSWS2.DLL
    C:\WINDOWS\SYSTEM\mswsosp.dll
    C:\WINDOWS\SYSTEM\msafd.dll
    C:\WINDOWS\SYSTEM\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\SetupcPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\AppletsPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\FontsPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5A8D6EE0-3E18-11D0-821E-444553540000}\
    rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_ICW_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4395}\
    rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
    HKLM\Software\Microsoft\Active Setup\Installed Components\>PerUser_MSN_Clean\
    C:\WINDOWS\msnmgsr1.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{CA0A4247-44BE-11d1-A005-00805F8ABE06}\
    RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Msinfo2\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMmsysPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownAvivideoPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownMPlayPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Base\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\ShellPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\Shell2PerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winbase_Links\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_winapps_Links\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_LinkBar_URLs\
    C:\WINDOWS\COMMAND\sulfnbk.exe /L
    HKLM\Software\Microsoft\Active Setup\Installed Components\TapiPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUserOldLinks\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MmoptRegisterPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsMsnPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Paint_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis_remove 64 C:\WINDOWS\INF\applets.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Calc_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis_remove 64 C:\WINDOWS\INF\applets.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CVT_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 C:\WINDOWS\INF\applets1.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\MotownRecPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Vol\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_MSWordPad_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_RNA_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Dialer_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_CDPlayer_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAolPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsAttPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsCompuservePerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\OlsProdigyPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Wingames_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\Theme_Windows_PerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 C:\WINDOWS\INF\themes.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\Theme_MoreWindows_PerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\EpgPerUser\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection EpgPerUser 64 C:\WINDOWS\INF\epg.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmon_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Sysmeter_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Rem_Inis 64 C:\WINDOWS\INF\appletpp.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_DCC_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 C:\WINDOWS\INF\rna.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\PerUser_Winpopup_Inis\
    rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Winpopup_Inis_remove 64 C:\WINDOWS\INF\winpopup.inf
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Remove.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
    C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
    C:\WINDOWS\system\vnetsup.vxd
    HKLM\System\CurrentControlSet\Services\VxD\NDIS\
    ndis.vxd,ndis2sup.vxd
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\VxD\VRTWD\
    C:\WINDOWS\SYSTEM\vrtwd.386
    HKLM\System\CurrentControlSet\Services\VxD\VFIXD\
    C:\WINDOWS\SYSTEM\vfixd.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
    C:\WINDOWS\system\vnetbios.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
    C:\WINDOWS\system\vredir.vxd
    HKLM\System\CurrentControlSet\Services\VxD\DFS\
    C:\WINDOWS\system\dfs.vxd
    HKLM\System\CurrentControlSet\Services\VxD\TURBOVBF\
    C:\WINDOWS\system\TURBOVBF.VXD
    HKLM\System\CurrentControlSet\Services\VxD\SCANDRV\
    C:\PROGRA~1\SCANDRV\SCANDRV.386
    HKLM\System\CurrentControlSet\Services\VxD\GCKERNEL\
    C:\WINDOWS\system\gckernel.vxd
    HKLM\System\CurrentControlSet\Services\VxD\MSGAMIO\
    C:\WINDOWS\system\msgamio.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VETMON9X\
    C:\VET\VETMON9X.VXD
    HKLM\System\CurrentControlSet\Services\VxD\VSDATA95\
    C:\WINDOWS\system\vsdata95.vxd
    Thanks again, I'll await your reply. I hope you can find something. My apologies for being such a computer dummy, but hey, I'm on a giddy learning curve here !!
    Tanks and Regards
    jackafrica
     
  19. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    :D Don't worry about the learning curve, I've been known to drive off a few curves myself! ;)

    Well, I don't see anything wrong in the log output. The kernel32.dll is a system file. It may be that you are unable to find it because of folder view restrictions. You might want to goto c:\windows\system32 in Explorer and go into the folder options and make sure you have none of the view restrictions enabled (you should set it to see all files and to show all extensions). I forget exactly how to get to this options tab in 98 but once you are in the folder in Explorer just look for View or folder options or something like that in the Menu.

    The Port Explorer output for those remote IPs you mentioned would help quite a bit in tracing any problem.
     
Thread Status:
Not open for further replies.