System Not Going On Standby

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
USING WIN ME. "THE FOLLOWING MODULES HAVE INTERCEPTED
(HOOKED) VARIOUS ASPECTS OF THE SYSTEM.

HOOK TYPE: SHELL
HOOKED BY: MMSYSTEM.DLL
APPLICATION: MMTASK.TSK
DLL PATH: C:\WINDOWS\SYSTEM\MMSYST...
APPLICATION PATH: C:\WINDOWS\SYSTEM\MMTASK.TS


I'M HAVING PROBLEMS PUTTING MY COMPUTER ON STANDBY MODE. I'VE TRIED THE HELP THAT CAME WITH THE COMPUTER BUT NO LUCK. I SUSPECT THE H0OK IS CAUSING THIS. MY COMPUTER SAYS THAT THE STANDBY IS WORKING FINE BUT ITS NOT.

I ALSO HAVE A DAMAGED FILE THAT I DON'T KNOW HOW TO FIX.

HTTP://CODECS.MICROSOFT.COM/CODECS/i386/VOXACM.CAB
ITS A PROGRAM FILE I BELIEVE.

I DON'T KNOW MUCH ABOUT COMPUTERS SO I AM LOST!:confused:
 
Joined
Oct 14, 2001
Messages
2,218
in WinME its easy to do a system restore & you don't lose what you have downloaded. Go to start/help & click it to open... then on the left side about 2/3 the way down... look for Fix a Problem... and under that you will find system restore.... click it & then choose restore to an earlier time... pick a date on the calender ... maybe a week to 10 days ago & follow thru..
come back & let us know how it went...


if its far enough back to where there was no damaged file you will have fixed it.
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
system restore only goes back to the middle of nov. i had a virus problem from oct to nov. i don't know if it is really gone.
nav scans don't turn anything up. it would be great if i could go to sept. as for not losing data, that's not true i do lose things when i do a restore. is there anything else i could do? thanks
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

For the first error, are you getting any errors that pop up as in a window? Have you added any new hardware recently?

Sometimes this error can occur with MMSYSTEM.DLL when it is missing from the [boot] section of the System.ini file. Can you confirm that it is there?

Go to Find Files and type in system.ini

Check that in the [boot] section it says:

drivers=mmsystem.dll

If it does, just close it. If not, add it.

Ah, hang on, you said you had a virus. Lets see if thats all gone. Go here and download Startup Log

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

Install and run it, allow for the DOS window to close, then copy/paste here.

We'll go through that first before you change anything in system.ini.

Regards

eddie
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Okay

I assume that you've run it and that a log has been produced. Just go to the log, open it up and it will be in, say, wordpad.

Then, go to Edit | Select All. Then, Copy.

Then, when you're here, just rightclick inside the reply space (here) and choose Paste.

Is that ok?

eddie
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
sorry i have not responded in awhile i have not used my computer for a while.


---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 01-02-2002 9:17:44.89p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.54) - Release Date 12/12/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Launcher"="C:\\Program Files\\Creative\\SBLive\\Launcher\\CTLauncher.exe"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"PCTVOICE"="pctvoice.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"SystemTray"="SysTray.Exe"
"CountrySelection"="pctptt.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
"Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE /LOADQUIET"
"NAV DefAlert"="C:\\PROGRA~1\\NORTON~1\\DEFALERT.EXE"
"Norton eMail Protect"="C:\\Program Files\\Norton AntiVirus\\POPROXY.EXE"
"AVGCtrl"="C:\\PROGRA~1\\AVPERS~1\\AVGCTRL.EXE /min"
"MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"devldr16.exe"="C:\\WINDOWS\\SYSTEM\\devldr16.exe"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe /background"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe"
"ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg"
"Machine Debug Manager"="C:\\WINDOWS\\SYSTEM\\MDM.EXE"
"*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"
"SSDPSRV"="C:\\WINDOWS\\SYSTEM\\ssdpsrv.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\MSN Internet Access.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe /background"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-

@C:\WINDOWS\tmpcpyis.bat

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off

REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.

REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE


-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\BLANKS~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
WOW THAT WORKS! THANK YOU!!
YOU PROBABLY KNOW THIS, BUT THERE IS SOMETHING CALLED A STUB PATH THAT ALSO APPEARED IN THE SCAN. I COULD NOT FIT IT IN THE SAME REPLY AS THAT START LOG SO HERE IT IS.

---------- StubPath.txt

=========================================================
StartUp Log Full StubPath List - 01-02-2002 9:17:49.39p
=========================================================

Comments:

The application referenced by a StubPath entry is only run once
when Windows is started.
At that time a corresponding entry is automatically placed in the
HKCU\...Active Setup\Installed Components section of the registry.
This added entry tells Windows to ignore that particular StubPath
in all future start-ups.
Removing the added HKCU entry will make the StubPath active again.
A New User logging into Windows can also activate it.

This StubPath list is separate from StartUp.Log due to the large
number of registry StubPaths that are found on some computers.

-=====================-
Stub Paths - Registry
-=====================-

[1] HKLM\Software\Microsoft\Active Setup\Installed Components
[2] These are "all" of the StubPath start-ups in your registry:

[3]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\\WINDOWS\\INF\\setupc.inf"
[4]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\\WINDOWS\\INF\\applets.inf"
[5]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\\WINDOWS\\INF\\applets1.inf"
[6]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection FontsPerUser 64 C:\\WINDOWS\\INF\\fonts.inf"
[7]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\\WINDOWS\\INF\\ICS.inf"
[8]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\\WINDOWS\\INF\\icw97.inf"
[9]"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"
[10]"StubPath"="regsvr32.exe /s /n /i:U shell32.dll"
[11]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\\WINDOWS\\INF\\moviemk.inf"
[12]"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
[13]"StubPath"="RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf"
[14]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\\WINDOWS\\INF\\msinfo.inf"
[15]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\\WINDOWS\\INF\\msinfo.inf"
[16]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[17]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[18]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Base 64 C:\\WINDOWS\\INF\\msmail.inf"
[19]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\\WINDOWS\\INF\\sampler.inf"
[20]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection ShellPerUser 64 C:\\WINDOWS\\INF\\shell.inf"
[21]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\\WINDOWS\\INF\\shell2.inf"
[22]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\\WINDOWS\\INF\\subase.inf"
[23]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\\WINDOWS\\INF\\subase.inf"
[24]"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
[25]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection TapiPerUser 64 C:\\WINDOWS\\INF\\tapi.inf"
[26]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\\WINDOWS\\INF\\wordpad.inf"
[27]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\\WINDOWS\\INF\\appletpp.inf"
[28]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[29]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\\WINDOWS\\INF\\mmopt.inf"
[30]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[31]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[32]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\\WINDOWS\\INF\\pchealth.inf"
[33]"StubPath"=""
[34]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\mplayer2.inf,PerUserStub"
[35]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wmp.inf,PerUserStub"
[36]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\\WINDOWS\\INF\\applets.inf"
[37]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\\WINDOWS\\INF\\applets.inf"
[38]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_dxxspace_Links 64 C:\\WINDOWS\\INF\\applets1.inf"
[39]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\\WINDOWS\\INF\\enable.inf"
[40]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[41]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[42]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[43]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msmsgs.inf,BLC.Install.PerUser"
[44]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[45]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\\WINDOWS\\INF\\motown.inf"
[46]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[47]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\\WINDOWS\\INF\\rna.inf"
[48]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Sysmon_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[49]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[50]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_netwatch_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[51]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[52]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[53]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[54]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ClipBrd_Inis 64 C:\\WINDOWS\\INF\\clip.inf"
[55]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[56]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[57]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[58]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[59]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msnetmtg.inf,NetMtg.Remove.PerUser.W95"
[60]"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
[61]"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
[62]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[63]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[64]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[65]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[66]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\\WINDOWS\\INF\\shell3.inf"
[67]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\\WINDOWS\\INF\\themes.inf"
[68]"StubPath"="rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\\WINDOWS\\INF\\RUNLAST.INF"
[69]"StubPath"="rundll rnasetup.dll,installoptionalcomponent rna"
[70]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wpie5x86.inf,PerUserStub"
[71]"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
[72]"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

----------------------------------------------------------------

(End)
GOOD LUCK. !
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Well, that was quite a read :p

Now, lets see if its any of your startup programs. I've encluded a description as well.

Creative Launcher: For Creative Soundblaster Live! series soundcards. Adds a quick-launch bar to the top of the display and a System Tray icon. Available via Start -> Programs - not required

AudioHQ: For Creative Soundblaster Live! series soundcards. System tray application for SB Live! functions. Available via Start -> Programs - not required

PCTVOICE: The program PCTVoice is used by the modem to interface with your computer and also used for some V.80 functions for Video Conferencing. if you remove it, it comes back. It’s better to leave it

Adaptec DirectCD: Unless you have a CD-RW in the drive to drag and drop files to it you don't need DirectCD. Available via Start -> Programs - not required

wcmdmgr: It will periodically contact WildTangent servers to see if an update is available for your system and allows us to make the product exceptionally reliable. You can control its behavior, or disable it completely, inside your Windows Control Panel. Not required

SystemTray: keep

CountrySelection: Country selection for a PCtel HSP56 based modem. Often found in OEM (Dell,Compaq, HP, etc) systems for their modems included on the motherboard or as a seperate card. Once you've set the modem up to the chosen country it's not required

ScanRegistry: keep

TaskMonitor: The Task Monitor the disk-access patterns of programs when they are started and stores this information in log files in the Applog folder. Task Monitor also records the number of times you use a program. The Disk Defragmenter tool uses this information to optimize your hard disk so that programs that you use frequently are loaded faster. Not required - but can be useful

PCHealth: WinME. This is a "scheduler" and does not turn off PC Health

Norton Auto-Protect: Norton Anti-Virus's background scanning process. Can be inconvenient because it scans files when Run/Opened or Downloaded/Created and you can scan files manually via right-click after downloading/copying. However, in light of some of the viruses around these days it's probably best to put up with the inconvenience

NAV DefAlert: Norton Anti-Virus Definitions Alert. Warns you if virus definitions are out of date. You should update definitions on at least a weekly basis anyway if you use the internet regularly

Norton eMail Protect: Proxy E-mail protection from Norton Anti-Virus. If you have it installed, leave it enabled to automatically check for suspect attachments in E-mails that may contain viruses. E-mails are scanned on a proxy server before being downloaded to your system

AVGCtrl: Did you have AVG? Have you uninstalled it if you had?

MSConfigReminder: This is an entry that appears when you uncheck an item in the Startup group, and will disappear if on the next reboot you select the option to not be reminded that you are running in Selective Startup mode

LoadPowerProfile: Power management specifics such as monitor shut-off, system standby, etc. keep

devldr16.exe: Associated with Creative Labs sound cards. Provides audio support for DOS applications. Not needed if you don't have those.

CreateCD: Adaptec Easy CD Creator system tray application (pre version 5). Available via Start -> Programs - not required

Okay, for the ones you don't want, go to Run and type MSCONFIG. Startup tab. Uncheck the ones you don't want, apply and restart. If you're unsure, do each seperately. but apply and restart after each one.

You also have this:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
entVersion\Run]
"MSMSGS"="C:\\PROGRA~1\\MESSEN~1\\msmsgs.exe /background"


but its not in your startup. Did you ever have MSN Messenger? This is the registry entry for it that needs to be removed. But that may not be causing this.

Can you post the contents of your system.ini and I'll confirm that the drivers bit is in there.

No virus from what I can see, btw.

Regards

eddie
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
system.ini will not copy because there is no EDIT tab to select all.

AVG CONTROL - DO NOT KNOW WHAT THIS IS. EXCEPT THAT IT HAS TO DO WITH MOUSE CONTROLS. I HAD A FREE CUSTOM CURSOR AT ONE TIME FROM COMET CURSOR(?) BUT I GOT RID OF IT BECAUSE IT PUT ITS OWN ADRESS BAR WHICH I DID NOT WANT.

MSN MESSENER: IT CAME WITH THE COMPUTER, BUT I NEVER USE IT. IT RUNS IN THE BACKGROUND WHEN I'M LOGGED ON ACCORDING TO A MESSAGE I GOT WHEN I CLICKED ON ITS ICON ON THE TASKBAR.

I CAME ACROSS THE FOLLOWING IN SYSTEM INFORMATION:
{00000075-9980-0010-8000-00AA00389B71} Damaged 0,0,0,1 http://codecs.microsoft.com/codecs/i386/voxacm.CAB
IN THE INTERNET CACHE LIST OF ITEM. WHAT IS THIS?

ALSO I DID A FREE TROJAN SCAN FROM ANTI-TROJAN.NET AND IT SAID I HAD AN OPEN PORT 5000 WITH YAHOO MESSENGER CHAT BEING THE APPLICATION. HOW DO I CLOSE IT.
GLAD TO HEAR NO VIRUSES!!!!
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

You said that you had Comet Cursor. Did you remove it via AddRemove? It may have left some traces, so go here and download AddAware www.lavasoftusa.org
Install and run it, ensuring Deep Registry Scan is enabled. Remove all except any references to Web3000 or new.net. If you're unsure, copy/paste the list.

Whilst you're there, download and install RefUpdate. Run it to update the Reference file.

For the system.ini, hust rightclick inside the notepad and choose Select All, then do it again and choose Copy. Paste here.

You say that the codecs file that is corrupt is in the Internet Cache. Have you emptied it lately?

Tools | Internet Options. General tab. Under Delete Files, delete offline content.

Is it still there? It may be due to your WMP codecs.

Go here and download the codecs:

http://www.microsoft.com/downloads/search.asp?

As I'm at work, we can't do all the stuff at home, so put Windows Me in OS, Windows Media Player in Products and do by date. Its around Sept.

Regards

eddie
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
Scan initialized on 1/21/2002 10:22:06 PM.
(AAW release 5.62, referencefile 087-22.09.2001)
=================================================


Started memory scan
====================
Running processes:

#:1 Name: C:\WINDOWS\SYSTEM\KERNEL32.DLL
----------------------------
Threads:4
ProcID:4279207333
ParentProcID:2123310197
BasePriority:High

#:2 Name: C:\WINDOWS\SYSTEM\MSGSRV32.EXE
----------------------------
Threads:1
ProcID:4294951749
ParentProcID:4279207333
BasePriority:Normal

#:3 Name: C:\WINDOWS\SYSTEM\mmtask.tsk
----------------------------
Threads:1
ProcID:4294861445
ParentProcID:4294951749
BasePriority:Normal

#:4 Name: C:\WINDOWS\SYSTEM\MPREXE.EXE
----------------------------
Threads:1
ProcID:4294863041
ParentProcID:4294951749
BasePriority:Normal

#:5 Name: C:\WINDOWS\SYSTEM\MSTASK.EXE
----------------------------
Threads:3
ProcID:4294858325
ParentProcID:4294863041
BasePriority:Normal

#:6 Name: C:\WINDOWS\SYSTEM\MDM.EXE
----------------------------
Threads:2
ProcID:4294883049
ParentProcID:4294863041
BasePriority:Normal

#:7 Name: C:\WINDOWS\SYSTEM\SSDPSRV.EXE
----------------------------
Threads:4
ProcID:4294874381
ParentProcID:4294863041
BasePriority:Normal

#:8 Name: C:\WINDOWS\SYSTEM\DEVLDR16.EXE
----------------------------
Threads:3
ProcID:4294775949
ParentProcID:4294859045
BasePriority:Normal

#:9 Name: C:\WINDOWS\EXPLORER.EXE
----------------------------
Threads:12
ProcID:4294800289
ParentProcID:4294951749
BasePriority:Normal

#:10 Name: C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
----------------------------
Threads:1
ProcID:4294781817
ParentProcID:4294800289
BasePriority:Normal

#:11 Name: C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
----------------------------
Threads:1
ProcID:4294711373
ParentProcID:4294800289
BasePriority:Normal

#:12 Name: C:\WINDOWS\PCTVOICE.EXE
----------------------------
Threads:2
ProcID:4294710077
ParentProcID:4294800289
BasePriority:Normal

#:13 Name: C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
----------------------------
Threads:1
ProcID:4294724421
ParentProcID:4294800289
BasePriority:Normal

#:14 Name: C:\WINDOWS\SYSTEM\SYSTRAY.EXE
----------------------------
Threads:2
ProcID:4294751661
ParentProcID:4294800289
BasePriority:Normal

#:15 Name: C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
----------------------------
Threads:3
ProcID:4294756445
ParentProcID:4294707837
BasePriority:Idle

#:16 Name: C:\WINDOWS\TASKMON.EXE
----------------------------
Threads:1
ProcID:4294643069
ParentProcID:4294800289
BasePriority:Normal

#:17 Name: C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
----------------------------
Threads:6
ProcID:4294682709
ParentProcID:4294800289
BasePriority:Normal

#:18 Name: C:\WINDOWS\SYSTEM\WMIEXE.EXE
----------------------------
Threads:3
ProcID:4294685049
ParentProcID:4294751661
BasePriority:Normal

#:19 Name: C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
----------------------------
Threads:1
ProcID:4294682297
ParentProcID:4294800289
BasePriority:Normal

#:20 Name: C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
----------------------------
Threads:4
ProcID:4294697653
ParentProcID:4294870349
BasePriority:Normal

#:21 Name: C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
----------------------------
Threads:2
ProcID:4294617929
ParentProcID:4294800289
BasePriority:Normal

#:22 Name: C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
----------------------------
Threads:4
ProcID:4294634585
ParentProcID:4294800289
BasePriority:Normal

#:23 Name: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
----------------------------
Threads:1
ProcID:4294613825
ParentProcID:4294800289
BasePriority:Normal

#:24 Name: C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
----------------------------
Threads:6
ProcID:4294509961
ParentProcID:4294800289
BasePriority:Normal

#:25 Name: C:\WINDOWS\SYSTEM\PSTORES.EXE
----------------------------
Threads:3
ProcID:4294529817
ParentProcID:4294613825
BasePriority:Normal

#:26 Name: C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
----------------------------
Threads:1
ProcID:4294534821
ParentProcID:4294781817
BasePriority:Normal

#:27 Name: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
----------------------------
Threads:10
ProcID:4294524237
ParentProcID:4294800289
BasePriority:Normal

#:28 Name: C:\WINDOWS\SYSTEM\RNAAPP.EXE
----------------------------
Threads:3
ProcID:4294497485
ParentProcID:4294524237
BasePriority:Normal

#:29 Name: C:\WINDOWS\SYSTEM\TAPISRV.EXE
----------------------------
Threads:5
ProcID:4294386101
ParentProcID:4294497485
BasePriority:Normal

#:30 Name: C:\WINDOWS\SYSTEM\DDHELP.EXE
----------------------------
Threads:6
ProcID:4294372581
ParentProcID:4294524237
BasePriority:Realtime

#:31 Name: C:\PROGRAM FILES\LAVASOFT AD-AWARE\AD-AWARE.EXE
----------------------------
Threads:1
ProcID:4294356529
ParentProcID:4294800289
BasePriority:Normal

Memory scan result:
Total modules found:31
Suspicious modules found:0


Started registry scan
======================
Transponder key:HKEY_CLASSES_ROOT\clsid\{00000000-5eb9-11d5-9d45-009027c14662}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{6f2d6a5e-e3e7-4f18-887c-c777650def57}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{7f0f5da7-84cb-11d4-8137-00500487b1c5}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{827a2ece-d76f-4bcc-82ed-d6a287c11211}\
CometCursor key:HKEY_CLASSES_ROOT\clsid\{c38fc998-3b1b-4f59-a710-5a6c9cf8bd92}\
Transponder key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000000-5eb9-11d5-9d45-009027c14662}\


Started extended registry scan
===============================


Registry scan result:
Suspicious keys found :6


Started folder scan
====================
Warning, no disk in drive (A)

Now processing drive (C), 0 remaining.
Finished processing Drive(C), 1111 folders total.

Folder scan result:
Folders processed:1111
Suspicious folders found:0


Started file scan
==================

File scan result:
Suspicious files found:0



Scanning finished
==================
Suspicious modules found:0
Suspicious keys found :6
Suspicious folders found:0
Suspicious files found:0
=========================
Spyware components ignored:0
Total spyware components found:

WOW THE SITE IS BACK !!! COOL!!!
ANYWAY I DOWNLOADED ADAWARE TODAY AND POSTED THE RESULTS ABOVE.

I COULD NOT COPY/PASTE SYSTEM.INI BUT
DRIVERS=MMSYSTEM.DLL POWER DRV
ITS NOT EXACTLY WHAT YOU TYPED IS IT OK?
AVG IS AN ANTIVIRUS PROGRAM I INSTALLED DEC 25, 01
I'VE UNINSTALLED WILD TANGENT ABOUT 2X.
AND I DOWNLOADED A FREE PROGRAM FROM ZONELABS
BOY THAT WAS A MISTAKE. TALK ABOUT TAKING OVER MY COMPUTER. THEY ARE VERY DIFFICULT TO GET RID OF!\

MY CODEC IS STILL DAMAGED.
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
I COULD NOT POST THE SUSPICIOUS LIST OF SIX ITEMS FOUND.
I WILL MENTION THEM.

THERE ARE 5 FROM COMET CURSOR AND
1 FROM TRANSPONDER.

WHAT SHOULD I DO? DELETE?
ALSO I FOUND THIS :SNIFFPOL.DLL WHILE SEARCHING STARTUP
IS THIS A SNOOPING PROGRAM INSTALLED ON MY COMPUERA?


I DONT KNOW WHAT YOU MEAN BY PUTTING ME IN OS.
WINDOWS MEDIA PLAYER PRODUCTS BY DATE.
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Okay

the files that AddAware found are fine in removing with the program. Did you uninstall cometcursor via AddRemove first? If so, just remove the files by ticking them when you click Proceed. If not, uninstall it then remove the files as above.

You said that you have this in the system.ini

DRIVERS=MMSYSTEM.DLL POWER DRV

not sure if the power drv should be there. Was there a . in there? So it would be power.drv

I thought that they had to be on their own, like this:

[boot]
system.drv=system.drv
drivers=mmsystem.dll
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
shell=Explorer.exe
keyboard.drv=keyboard.drv
fonts.fon=vgasys.fon
fixedfon.fon=vgafix.fon
oemfonts.fon=vgaoem.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv
mouse.drv=mouse.drv
*DisplayFallback=0

[power.drv]

maybe someone who is more in tune with these may offer some light.

As to the codec, did you empty the TIF's?

SNIFFPOL.DLL

Interesting, never heard of it. Do you have a firewall?

Also, what did you mean by

I DONT KNOW WHAT YOU MEAN BY PUTTING ME IN OS.
WINDOWS MEDIA PLAYER PRODUCTS BY DATE
Regards

eddie
 

eekamaus

Thread Starter
Joined
Dec 23, 2001
Messages
15
IN SYSTEM.INI :
[BOOT]
oemfonts.fon=vgaoem.fon
shell=Explorer.exe
system.drv=system.drv
drivers=mmsystem.dll power.drv
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
mouse.drv=mouse.drv
keyboard.drv=keyboard.drv
*DisplayFallback=0
font.fon=vgasys.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv
display.drv=pnpdrvr.drv
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\BLANKS~1.SCR
*DisplayFallback=0
*DisplayFallback=0
[keyboard]
boot.description]
[386Enh]
[NonWindowsApp]
[power.drv]
[drivers]
[iccvid.drv]
[mciseq.drv]
[mci]
[vcache]
[MSNP32]
[Password List]
[drivers32]
[TTFontDimenCache]


SO YES THERE WAS A "." IN
DRIVERS=MMSYSTEM.DLL POWER.DRV
REFERRING TO THE CODECS:
YES I DID EMPTY MY TEMP INTERNET FILES. I WILL SEARCH THE MICROSOFT SITE ON THIS.

NO FIREWALL YET.
AS TO THE QUOTE I WAS REFERRING TO THE END OF YOUR POST
ON 1-4-02
COMMET CURSOR~~~~~~~~


I BELIEVE I DID REMOVE IT BY ADD/REMOVE . IT'S NOT LISTED ANYMORE. SO I JUST CHECKED THEM OFF IN AAW TO DELETE.



I REALLY APPRECIATE YOUR HELP. THANK YOU.

EEKAMAUS.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top