Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 24.7.2008 / 02:02
Search:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > irc/backdoor.flood virus found. please help
Show topics
 
Forums
Forums
irc/backdoor.flood virus found. PLEASE HELP
  Jump to:
 
Posted Message
crazyman1
Suspended due to non-functional email address
_ 		8. July 2007 @ 13:11 _ Link to this message    Send private message to this user   
i have the virus irc/backdoor.flood and cant kick it out. its on a win98 machine. i have ran AVG virus program, AVG tool what ever i run dont seam to fix it. this is the info i have. any help with this would be great and thanks in advance.

file name
win.exe

result/infection
virus found irc/backdoor flood

path
c:\windows\system32\drivers\etc\win.exe

virus found
irc/backdoor.flood
[ + quote]
Auttaja
Suspended permanently
_ 		9. July 2007 @ 03:56 _ Link to this message    Send private message to this user   
Download HijackThis ver. 1.99.1 from HERE and save it to your Desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch HijackThis.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Copy and paste the log to this topic

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[ + quote]
Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list
crazyman1
Suspended due to non-functional email address
_ 		9. July 2007 @ 16:37 _ Link to this message    Send private message to this user   
ok here is the log. i hope this is what you need.
Logfile of HijackThis v1.99.1
Scan saved at 5:29:40 PM, on 7/9/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\NETDDE.EXE
C:\WINDOWS\DESKTOP\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?p=1148244582
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\PROGRAM FILES\IMESH\IMESH5\IMESHBHO.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: IEExtension Class - {DBE5BEE8-F032-11DB-826A-C4BB56D89593} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\Creative Office\Calendar Creator 5\SCHEDU~1.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/we...aploader_v6.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
[ + quote]
Auttaja
Suspended permanently
_ 		10. July 2007 @ 01:11 _ Link to this message    Send private message to this user   
Hi

Open contorl panel and there add/remove program

remove:

IMESH
Trust Cleaner

Delete these folders:

C:\Program Files\Trust Cleaner
C:\PROGRAM FILES\IMESH

========

Download and Run ComboFix
*Download this file from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

*Then double click combofix.exe & follow the prompts.
*When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post fresh HijackThis log too.
[ + quote]
Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list

This message has been edited since posting. Last time this message was edited on 10. July 2007 @ 08:44
crazyman1
Suspended due to non-functional email address
_ 		10. July 2007 @ 06:55 _ Link to this message    Send private message to this user   
if i remove C:\PROGRAM FILES wont that mess up all my programs that i have installed?
[ + quote]
Auttaja
Suspended permanently
_ 		10. July 2007 @ 08:44 _ Link to this message    Send private message to this user   
Yes, It was very big mistake by me :)

C:\PROGRAM FILES\IMESH

I meant that folder, I am very glad that you don´t delete that "program files" folder! :)
[ + quote]
Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list

This message has been edited since posting. Last time this message was edited on 10. July 2007 @ 08:46
crazyman1
Suspended due to non-functional email address
_ 		10. July 2007 @ 17:45 _ Link to this message    Send private message to this user   
I tryed downloading ComboFix from the links you posted but neather one worksw for me.whem i go to C:\Program Files and look for Trust Cleaner\Trust Cleaner.exe" its not there. there is no trust cleaner folder or file in my programs.

here is a new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 6:40:15 PM, on 7/10/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\DESKTOP\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?p=1148244582
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: IEExtension Class - {DBE5BEE8-F032-11DB-826A-C4BB56D89593} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\Creative Office\Calendar Creator 5\SCHEDU~1.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/we...aploader_v6.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
[ + quote]

This message has been edited since posting. Last time this message was edited on 10. July 2007 @ 18:22
Auttaja
Suspended permanently
_ 		11. July 2007 @ 05:38 _ Link to this message    Send private message to this user   
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)


R3 - Default URLSearchHook is missing
O2 - BHO: IEExtension Class - {DBE5BEE8-F032-11DB-826A-C4BB56D89593} - (no file)

Unknown
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - Startup: PowerReg SchedulerV2.exe


Close ALL open windows
Click Fix Checked

Post fresh hijackthislog
[ + quote]
Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list
crazyman1
Suspended due to non-functional email address
_ 		11. July 2007 @ 16:39 _ Link to this message    Send private message to this user   
Shold i delete
Unknown
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - Startup: PowerReg SchedulerV2.exe

Here is a new log
Logfile of HijackThis v1.99.1
Scan saved at 5:31:23 PM, on 7/11/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NETDDE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\DESKTOP\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?p=1148244582
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\Creative Office\Calendar Creator 5\SCHEDU~1.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/we...aploader_v6.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
[ + quote]
crazyman1
Suspended due to non-functional email address
_ 		11. July 2007 @ 18:18 _ Link to this message    Send private message to this user   
ok i deleted
O4 - HKCU\..\Run: [Trust Cleaner] "C:\Program Files\Trust Cleaner\Trust Cleaner.exe"

New log after deleting it
Logfile of HijackThis v1.99.1
Scan saved at 7:13:19 PM, on 7/11/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\DESKTOP\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?rs=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\Creative Office\Calendar Creator 5\SCHEDU~1.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.43/ttinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/we...aploader_v6.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
[ + quote]
Auttaja
Suspended permanently
_ 		11. July 2007 @ 19:51 _ Link to this message    Send private message to this user   
Create Uninstall list
[*]Open HijackThis
[*] Click on the configure button on the bottom right
[*] Click on the tab "Misc Tools"
[*] Click on the Box that says "Open Uninstall Manager.."
[*] Click on the button "Save list"
[*] Copy and past the List from notepad into your post
[ + quote]
Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list
crazyman1
Suspended due to non-functional email address
_ 		11. July 2007 @ 20:20 _ Link to this message    Send private message to this user   
here is the list.

Ad-Aware SE Personal
Adobe Acrobat Reader 3.01
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1
Arabic Language Support
ATI mach64 Display Driver
ATI VIDEO PLAYER
AVG 7.5
Bejeweled 2 Deluxe 1.0
Bug Doctor 3.0.3.8
Calendar Creator 5
Canon S820
Chinese (Simplified) Language Support
Chinese (Traditional) Language Support
Conexant SoftK56 Modem
coverXP (remove only)
DAO (Data Access Objects) 3.5
Hebrew Language Support
HijackThis 1.99.1
Hijackthis 1.99.1
HP DeskJet 610C Series (Remove only)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - hp psc 2170 series
Internet Explorer Q903235
Internet Explorer Q916281
Iomega HotBurn
J2SE Runtime Environment 5.0 Update 2
Kazaa Lite K++ v2.4.1
Kodak EasyShare software
LEGO Island
Macromedia Flash Player 8
MediaFACE 4.01
MediaFACE 4.01 Image Library
Memorex exPressit Label Design Studio
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 2000 Standard Edition
Microsoft Works 2000
Microsoft XML Parser and SDK
Mozilla Firefox (2.0b2)
QuickTime
RealArcade
RingToneGen
Super Collapse! 3
USB Storage Adapter V3 (TPP)
USB Storage Driver
Windows 98 KB896358 Update
Windows 98 KB908519 Update
Windows 98 KB918547 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows 98 Q890175 Update
Windows Media Player system update (9 Series)
WinRAR archiver
WinZip
Yahoo! Toolbar
ZoneAlarm Pro
[ + quote]
Auttaja
Suspended permanently
_ 		11. July 2007 @ 20:32 _ Link to this message    Send private message to this user   
Hi

Open control panel, and there add/remove programs

Remove:
Bug Doctor 3.0.3.8
Kazaa Lite K++ v2.4.1

======

Create a Startup List
[*] Open HijackThis
[*] Click on the "Config..." button on the bottom right
[*] Click on the tab "Misc Tools"
[*] Check off the 2 boxes next to the Box that says "Generate StartupList log"
[*] Click "Generate StartupList log"
[*] Copy and past the StartupList from the notepad into your next post


[ + quote]
Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list
crazyman1
Suspended due to non-functional email address
_ 		12. July 2007 @ 17:32 _ Link to this message    Send private message to this user   
do you have any idea about this? i dont know if i should delete it or not.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
[ + quote]
crazyman1
Suspended due to non-functional email address
_ 		12. July 2007 @ 17:36 _ Link to this message    Send private message to this user   
StartupList report, 7/12/07, 6:30:22 PM
StartupList version: 1.52.2
Started from : C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NETDDE.EXE
C:\WINDOWS\DESKTOP\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
Scheduler.lnk = C:\Program Files\Creative Office\Calendar Creator 5\SCHEDU~1.EXE
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiCwd32 = Aticwd32.exe
AtiKey = Atitask.exe
SoundFusion = RunDll32 cwcprops.cpl,CrystalControlWnd
USBDetector = C:\USBStorage\USBDetector.exe
TPP Auto Loader = C:\WINDOWS\TPPALDR.EXE
Drag'n'Drop_Autolaunch = "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
KodakCCS = c:\windows\System32\Drivers\KodakCCS.exe
MediaFace Integration = C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
AVG7_CC = C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
KB918547 = C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 c:\windows\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 c:\windows\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 c:\windows\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 c:\windows\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 c:\windows\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 c:\windows\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 c:\windows\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 c:\windows\INF\motown.inf

[MmoptPreferredAudioDevices] *
StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SPCI\VEN_1013&DEV_6003&SUBSYS_00000000&REV_01\BUS_00&DEV_0B&FUNC_00

[MotownMPlayPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 c:\windows\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 c:\windows\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 c:\windows\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 c:\windows\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 c:\windows\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 c:\windows\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 c:\windows\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 c:\windows\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 c:\windows\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 c:\windows\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 c:\windows\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 c:\windows\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 c:\windows\INF\applets.inf

[PerUser_dxxspace_Links] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 c:\windows\INF\applets1.inf

[PerUser_MSBackup_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSBackup_Inis 64 c:\windows\INF\applets1.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 c:\windows\INF\enable.inf

[MotownRecPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 c:\windows\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 c:\windows\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 c:\windows\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 c:\windows\INF\rna.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmon_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Sysmeter_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_netwatch_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_CharMap_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Onlinelnks_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 c:\windows\INF\appletpp.inf

[PerUser_ClipBrd_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 c:\windows\INF\clip.inf

[MmoptMusicaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 c:\windows\INF\mmopt.inf

[MmoptJunglePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 c:\windows\INF\mmopt.inf

[MmoptRobotzPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 c:\windows\INF\mmopt.inf

[MmoptUtopiaPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 c:\windows\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 c:\windows\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 c:\windows\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 c:\windows\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 c:\windows\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 c:\windows\INF\ols.inf

[Shell3PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 c:\windows\INF\shell3.inf

[Theme_Windows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_Windows_PerUser 0 c:\windows\INF\themes.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 c:\windows\INF\themes.inf

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[Chl99] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chl99.inf,InstallUser

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore]
StubPath = rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 12/7/2007, 17:49:30)

[rename]
NUL=c:\windows\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/7/2007, 19:27:32)

[Rename]
NUL=c:\WINDOWS\TEMP\LUINIT.EXE
NUL=C:\PROGRA~1\SYMANTEC\LIVEUP~1
NUL=C:\PROGRA~1\SYMANTEC\LIVEUP~1\LSETUP~1.DLL
NUL=C:\PROGRA~1\SYMANTEC\LIVEUP~1\LUINSDLL.DLL
NUL=C:\PROGRA~1\SYMANTEC\LIVEUP~1\LSETUP.EXE
NUL=C:\PROGRA~1\SYMANTEC\LIVEUP~1\LUCOMS~3.DLL
NUL=C:\PROGRA~1\SYMANTEC\LIVEUP~1\LUINSD~1.DLL
NUL=c:\WINDOWS\TEMP\LUINIT.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG7\BOOTUP.EXE
REM [Header]
ECHO OFF
REM [CD-ROM Drive]
REM c:\windows\command\mscdex /d:gem001
REM [Miscellaneous]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
c:\windows\cwcdata\cwcdos.exe

--------------------------------------------------

C:\CONFIG.SYS listing:

REM [Header]
REM [CD-ROM Drive]
Device=C:\cdrom\oakcdrom.sys /d:gem001
REM [Miscellaneous]
REM [SCSI Controllers]
REM [Display]
REM [Sound, MIDI, or Video Capture Card]
REM [Mouse]
REM ------------------

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

ECHO OFF
c:\windows\command\MSCDEX.EXE /D:gem001
c:\mouse\MOUSE.exe

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 2170 series#1136682773.job
Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://c:\windows\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://c:\windows\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://c:\windows\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CA...8471.6569097222

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8.OCX
CODEBASE = http://download.macromedia.com/pub/shock...ash/swflash.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab

[Java Plug-in 1.5.0_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstal...indows-i586.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\SYSTEM\LEGITCHECKCONTROL.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Toontown Installer ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TTINST.DLL
CODEBASE = http://a.download.toontown.com/sv1.0.15.43/ttinst.cab

[PopCapLoader Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\POPCAPLOADER.DLL
CODEBASE = http://download.games.yahoo.com/games/we...aploader_v6.cab

[SysData Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSINFO.DLL
CODEBASE = http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

[{193C772A-87BE-4B19-A7BB-445B226FE9A1}]
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Snapfish Activia]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SNAPFISHACTIVIA1000.OCX
CODEBASE = http://photos.walmart.com/WalmartActivia.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: c:\windows\SYSTEM\rnr20.dll
Protocol #1: c:\windows\SYSTEM\mswsosp.dll
Protocol #2: c:\windows\SYSTEM\msafd.dll
Protocol #3: c:\windows\SYSTEM\msafd.dll
Protocol #4: c:\windows\SYSTEM\msafd.dll
Protocol #5: c:\windows\SYSTEM\rsvpsp.dll
Protocol #6: c:\windows\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: c:\windows\SYSTEM\vrtwd.386
VFIXD: c:\windows\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
VSDATA95: vsdata95.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries