[Flrman1]

CCapp is Norton's email scan.

[Ziggy1]

Ok at the moment this is what is happening,

I've gotten rid of the about blank page when I open IE, and it does not return when clicking home.

I don't see the reference to

**zu=rundll32 C:\WINDOWS\SYSTEM\COMKD.DLL,StreamingDeviceSetup

in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnc e

I copied the HK_LM from the folder itself for verification and it is the same as yours.


Ok my IE seems to be working, how can I be certain that nothing is broadcasting in the background? I have Norton Firewall but I had it disabled for some time because it was slowing me down. if I enable it will it recognize if a Trojan happens to be on my system or are they able to circumvent the program?

[Ziggy1]

This is a new log It still has the comKD ref

StartDreck (build 2.1.5 public BETA) - 2004-07-07 @ 23:56:41
Platform: Windows 98 SE (Win 4.10.2222 A)

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*LoadQM=loadqm.exe
*WheelMouse=C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
*QD FastAndSafe=
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*EnsoniqMixer=starter.exe
*KodakCCS=C:\WINDOWS\System32\Drivers\KodakCCS.exe
*USBMonit.exe="C:\WINDOWS\SYSTEM\USBMonit.exe"
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*CSINJECT.EXE=C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
*SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*ccProxy=C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
*SndSrvc=C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
»RunServicesOnce
**m=rundll32 C:\WINDOWS\SYSTEM\COMKD.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
*Ipswitch.WsftpBrowserHelper.1/{601ED020-FB6C-11D3-87D8-0050DA59922B}
`InprocServer32=C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
*Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
`InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
»Files
»System/Drivers
»Running Processes
*FFF08957=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF5EE3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF4873=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF2C0B=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFD27F=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFFCDC7=C:\WINDOWS\SYSTEM\MDM.EXE
*FFFFB31F=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
*FFFE7CCB=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
*FFFE67BB=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
*FFFE1163=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
*FFFE6EBF=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
*FFFEC407=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
*FFFD612B=C:\WINDOWS\EXPLORER.EXE
*FFFD5B73=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
*FFFE98A7=C:\WINDOWS\SYSTEM\RPCSS.EXE
*FFFDC167=C:\WINDOWS\RUNDLL32.EXE
*FFFA67AF=C:\WINDOWS\TASKMON.EXE
*FFFA5D23=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFF92B13=C:\WINDOWS\LOADQM.EXE
*FFF91433=C:\PROGRAM FILES\PILOT MOUSE WHEEL SCROLL\4DMAIN.EXE
*FFF9DFB7=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFF9B973=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
*FFF74AFF=C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
*FFFC8BF7=C:\WINDOWS\SYSTEM\USBMONIT.EXE
*FFF8130B=C:\WINDOWS\RUNDLL32.EXE
*FFFA37F3=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFF571BB=C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
*FFFBFA83=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF8403B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF02D2B=C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
*F8F443C7=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF4CA9F=C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
*FFF22E2F=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFF1FAA3=C:\MY DOCUMENTS\SECURITY\STARTDRECK\STARTDRECK.EXE
»Application specific

[Ziggy1]

gotta run , thanks for the help.

I'm still troubled by the fact that SafeMode, Regedit don't work plus the fact that I could not put in that Win98Fix you told me to download.

Also now that my e-mail is not working I'm thinking I should re-install windows, what do you think?

Worstcase scenario would be to format the drive.

Thanks again

[Flrman1]

This is still there:

RunServicesOnce
**m=rundll32 C:\WINDOWS\SYSTEM\COMKD.DLL,StreamingDeviceSetup

[Rollin' Rog]

On the problem with regedit, I don't see the typical suspects as starting processes.

Are you getting an error message of some kind when you try to run regedit ? Or is the utility simply not opening?

Can you do a file search for it and verify you have regedit.exe and that it is a microsoft file (right click, select Properties > Version).

If it is a Microsoft file, try copying it to another folder and rename it either regedit.com or regedit.scr and try running it by double clicking it.

Also I'm going to upload a shell open patch I created for the old Swen worm; it will correct some possible issues. You must download it and then rename it with a .inf extension, the actual name doesn't matter. Before renaming, verify that you do NOT have "hide file extensions...." checked in Folder Options > View or it will not rename correctly.

Once it is renamed, right click and select "install" from the menu. You won't get any prompts or confirmations.

[Ziggy1]

Ok,

The aboutBlank is back!@#$% I couldn't get it to come up yesterday but today it was back.

*CCapp (Norton) keeps crashing

*often folders stop responding if I righclick on an icon.

*E-mail is still not working

I pulled up Regedit.EXE it says it is Microsoft, I can get it to run by double clicking it once copied to another folder either as .EXE or the other extensions you listed (all work) but will not work via the run command.

I renamed the Swen file and installed it as requested

[Rollin' Rog]

So let me understand: it WILL run as an exe if you double click it directly from ANY folder (including system32) but will NOT execute from Start > Run?

Or it will not run from system32 using any method? That would be a real oddity, hmmm....

And have you tested after doing the INF install?

Run regedit.com and verify the following key:

HKEY_CLASSES_ROOT\regedit\shell\open\command

Data: regedit.exe %1

By the way, now that you *can* run regedit using a workaround you should also be able to "import" .reg files (File > Import) which is the same as running them to merg.

[Ziggy1]

Did you mean?

HKEY_CLASSES_ROOT\regfile\shell\open\command

I don't see


HKEY_CLASSES_ROOT\regedit\shell\open\command


What do I need to Import into the registry?

[Ziggy1]

[quote=Rollin' Rog]So let me understand: it WILL run as an exe if you double click it directly from ANY folder (including system32) but will NOT execute from Start > Run?

Or it will not run from system32 using any method? That would be a real oddity, hmmm....

And have you tested after doing the INF install? (YES)



*Correct Run command will not work for regedit ( any extension)

[Rollin' Rog]

Let me know which part of this you don't see:


HKEY_CLASSES_ROOT\regedit\shell\open\command

Unfortunately my "regedit" entry contains some stuff that would be in appropriate for you, but we can edit manually or give you a partial regedit patch to import.

[Ziggy1]

I don't have a regedit folder and there are no values in the ones listed (see attached

[Rollin' Rog]

Ok I've done a little editing on mine and hopefully this will work for you.

I will upload a zipped registry file. Download it; unzip it to another folder (don't leave it in the zip container).

Then manually open regedit and select File > Import and navigate to where you have the .reg file and "open" it.

Verify that you now have that entry in the registry and test the run command.


>>> it looks like you need "regfile" as well; hang on while I jigger with that....

[Ziggy1]

I'll have to follow up tomorrow, thanks

[Rollin' Rog]

Do the same with this one.