1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Help needed to clean out my startup

Discussion in 'Virus & Other Malware Removal' started by Circe, Feb 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Circe

    Circe Thread Starter

    Joined:
    Oct 25, 2002
    Messages:
    56
    Hi there guys,
    I need help to clean out my start-up list, I can recognize one little nastie "New.net" but I need clear step by step instructions to flush it out please.
    I am sure you guys will find others as well, it looks all double dutch to me.

    Thank you in advance.

    Here is my start up list, be seated, it's a rather long one!


    StartupList report, 2/17/03, 8:22:37 AM
    StartupList version: 1.51
    Started from : C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\V38SHELL.EXE
    C:\PROGRAM FILES\CANON\SCANGEAR TOOLBOX CS\SGTBOX.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE
    C:\PROGRAM FILES\SILICON PRAIRIE SOFTWARE\MEMTURBO\MEMTURBO.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\STARTUPLIST151[1]\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    PowerReg Scheduler.exe
    BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
    MemTurbo.lnk = C:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Shell folders Common Startup:
    [C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    ASUSKey = V38SHELL.EXE
    WheelMouse = C:\Program Files\Wireless 4D Mouse\4DMAIN.EXE -startup
    PE2CKFNT SE = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    SGTBox = C:\PROGRA~1\CANON\SCANGE~1\SGTBOX.EXE
    CriticalUpdate = C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    WatchDog = C:\PROGRAM FILES\WATCHDOG\WATCHDOG.exe /check
    mdac_runonce = C:\WINDOWS\SYSTEM\runonce.exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    MiniLog = C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    LoadBlackD = C:\Program Files\Network ICE\BlackICE\blackd.exe
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 30/1/2003, 20:45:24)

    [Rename]
    NUL=C:\PROGRA~1\NORTON~1\CUSTACT.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET BLASTER=A220 I7 D1 H5 P330 T6
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - {1678F7E1-C422-11D0-AD7D-00400515CAAA}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Windows Critical Update Notification.job
    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [MSNChatMemberCtl]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\UCCMEMB.OCX
    CODEBASE = http://communities.ninemsn.com.au/central/UCCCHAT.Cab

    [ScanCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\UZDETECT.OCX
    CODEBASE = http://outpost.zdnet.com/updates/resources/updates.cab

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\PROGRAM FILES\YAHOO!\MESSENGER\YACSCOM.DLL
    CODEBASE = http://cs6.chat.yahoo.com/v43/yacscom.cab

    [SurroundVideoCtrl Object]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSSURVID.OCX
    CODEBASE = http://carpoint.msn.com/components/ocx/Survid/MSSurVid.cab

    [HearMe VCDownload Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\VCDOWN~1.DLL
    CODEBASE = http://www.hearme.com/vc2/plugins/VC2Setup.cab

    [Mbayactx Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MBAYACTX.OCX
    CODEBASE = http://www.messagebay.com/code1/mbayactx.cab

    [MSNBC News Menu Control 3.0]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM30.OCX
    CODEBASE = http://www.zdf.msnbc.de/tools/NewsBrowser/nm0713.cab

    [Yahoo! Vision]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YV.DLL
    CODEBASE = http://download.yahoo.com/dl/fv/yv.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [National Internet Banking Custom]
    InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
    CODEBASE = https://www.national.com.au/rib/afs/v3002/cabinet/NABcustom.cab

    [National Internet Banking Images]
    InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
    CODEBASE = https://www.national.com.au/rib/afs/v3002/cabinet/images.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [3DGreetings.com Player 2.0]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\VROOM.DLL
    CODEBASE = http://www.expressit.com/Plugin/3DGreetings/vroom.CAB

    [Yahoo! Audio UI1]
    InProcServer32 = C:\PROGRAM FILES\YAHOO!\MESSENGER\YACSUI.DLL
    CODEBASE = http://chat.yahoo.com/cab/yacsui.cab

    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PWACTIVEXIMGCTL.DLL
    CODEBASE = http://216.249.25.152/code/PWActiveXImgCtl.CAB

    [ContentAuditX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://www.mp3-center.org/free_mp3.exe

    [sys Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [PCPDiskHealth Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DISKHEALTH.DLL
    CODEBASE = http://activex.microsoft.com/objects/ocget.dll

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37589.9513657407

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://207.188.7.150/31c62efc6c02f09b1202/netzip/RdxIE601.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #2: C:\Program Files\NewDotNet\newdotnet4_50.dll
    Protocol #1: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
    Protocol #2: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
    Protocol #9: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
    Protocol #10: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL

    --------------------------------------------------
    End of report, 10,052 bytes
    Report generated in 2.960 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    The only "real nastie" there is New.Net, and it's best to remove that using it's own uninstaller in Control Panel > Add/Remove Programs.
    Look for New.Net (domains)

    As for the other startup programs, use <A HREF="http://www.pacs-portal.co.uk/startup_pages/startup_full.htm">Pacman's List of Startup Applications</A> to determine what should stay and what can be unchecked.

    Cheers,
     
  3. Circe

    Circe Thread Starter

    Joined:
    Oct 25, 2002
    Messages:
    56
    Thanks for your help Tony.
    I didn't know it would be that simple operation to remove that nastie. Shows what a novice I am at this!

    Thanks once again.
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    No prob! :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119190

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice