1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

time to rebuild

Discussion in 'All Other Software' started by siccx_fox, Feb 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. siccx_fox

    siccx_fox Thread Starter

    Joined:
    Aug 4, 2002
    Messages:
    52
    Virus or something messed up my computer after virus scan the trouble stoped but the damage is still here. My windows media player, note pad, word, and other applactions dont work, im running on xp if that helps.
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    go here:http://www.lurkhere.com/~nicefiles/
    and download "startuplist"
    run it and post the generated text file in your next post.
    lets see whats going on in the background.
     
  3. siccx_fox

    siccx_fox Thread Starter

    Joined:
    Aug 4, 2002
    Messages:
    52
    StartupList report, 2/18/2003, 4:46:23 AM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\FOX\Desktop\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\ZipToA.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iMesh\Client\iMeshClient.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Documents and Settings\FOX\Desktop\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\FOX\Start Menu\Programs\Startup]
    iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
    Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    BearShare = C:\Program Files\BearShare\BearShare.exe /m
    AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    MovieNetworks = "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
    Windows Explorer Update Build 1142 = explorer32.exe
    CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    vptray = C:\Program Files\NavNT\vptray.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    CloneCDTray = "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    eDonkey2000 = C:\Program Files\eDonkey2000\eDonkey2000.exe -t

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    Windows Explorer Update Build 1142 = explorer32.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    AIM = C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\System32\FOne.dll - {000000F1-34E3-4633-87C6-1AA7A44296DA}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    Activater - (no file) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
    (no name) - (no file) - {7DD896A9-7AEB-430F-955B-CD125604FDCB}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    PCHealth Scheduler for Data Collection.job
    Symantec NetDetect.job
    Tune-up Application Start.job
    Uninstall Expiration Reminder.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/...director/sw.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.82.221.103/133ea0ff6e43d...etzip/RdxIE.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

    [{89122070-4199-11D4-8BAF-0050045B552C}]
    CODEBASE = http://download.rocketpipe.com/bundles/2564.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.c...7414.5754976852

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/Z4/heartbeat.cab

    [plug Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
    CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\flash.ocx
    CODEBASE = http://download.macromedia.com/pub/...ash/swflash.cab

    [{E87A6788-1D0F-4444-8898-1D25829B6755}]
    CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

    --------------------------------------------------
    End of report, 6,442 bytes
    Report generated in 0.160 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,326
    Hiya

    Lets have a look at the startup programs:

    Microsoft Works Portfolio: The Works Portfolio tool lets you collect and organize text and pictures from the Web or your favorite program.Can be prevented from starting from a setting within Portfolio. Not needed.

    Iomega Startup: Used by Iomega drives. Details of its purpose can be found here. Available via Start -> Programs. Not needed:

    http://pw2.netcom.com/~deepone/zipjaz/ioware.html#startup

    Iomega Drive Icons: Used by Iomega drives. Details of its purpose can be found here. Available via Start -> Programs. Not needed:

    http://pw2.netcom.com/~deepone/zipjaz/ioware.html#startup

    BearShare: are file sharing client. Versions known to include spyware. Not needed. See end

    AdaptecDirectCD: DirectCD primarily allows you to drag and drop files onto a suitably formatted CD-RW disc. Unless you use this on a frequent basis it isn't required and is available via Start -> Programs. Start the program before inserting a DirectCD formatted CD-RW in the drive. A re-boot is recommended if you close Adaptec DirectCD before re-opening it again later

    DownloadAccelerator: Download Accelerator Plus from Speedbit. Download manager for resuming downloads, amongst other features. Available via Start -> Programs. Note that the free version is "adware" based.

    MovieNetworks: MovieNetworks will connect you by DOMESTIC PREMIUM RATE TELEPHONE NUMBER 900-xxx-xxxx. So you get xxx rate picture and junk. And it will allow you to stay on the internet on their line and $$$ and remove the C:\Program Files\MovieNetworks directory

    Windows Explorer Update Build 1142: Added as a result of the KaZaA based KWBOT VIRUS

    CreateCD50: Adaptec Easy CD Creator version 5 system tray application. Available via Start -> Programs. Not needed.

    vptray: System Tray icon for Norton Anti-Virus Corporate Edition. Gives access to the options available and may not be required. Some users may have problems - refer here

    http://groups.google.com/groups?q=v...&[email protected]

    QuickTime Task: System Tray access to Apple's "Quick Time" viewer from version 5 onwards. Not needed.

    CloneCDElbyCDFL: From Elaborate Bytes who make CloneCD - monitors the installed filters of CD-ROMs/DVD-ROMs. Note - under Win2K removing this from startup causes the CD drive in the computer to not be recognized in the OS and after rechecking it prompts that the driver has been corrupted and asks you to restart the computer to fix it

    CloneCDTray: System tray for CloneCD - the only useful option is "Hide CDR Media" only available via this tray. Not needed.

    RealTray: System Tray icon for RealPlayer. If you subsequently start RealPlayer manually it adds itself back to the start-up list. You can stop this from happening by right-clicking on the tray icon and disabling SmartCenter via Preferences. Not needed.


    eDonkey2000: Filesharing program. Not needed at startup.


    Okay, it looks like you still have bits of the virus there. Also, a dodgy plugin, that costs you money that you may not want. For the virus, read this:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.b.worm.html

    And this is the removal bit:

    After you've made sure that the virus has fully gone, go here and download SpyBot:

    http://tomcoyote.org/SPYBOT/

    There's some other things in the list, but we'll see if Spybot helps first.

    Regards

    eddie
     
  5. siccx_fox

    siccx_fox Thread Starter

    Joined:
    Aug 4, 2002
    Messages:
    52
    StartupList report, 2/22/2003, 11:30:34 PM
    StartupList version: 1.51
    Started from : C:\Documents and Settings\FOX\Desktop\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\ZipToA.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\KaZaA Lite\Kazaa.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\FOX\Desktop\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\FOX\Start Menu\Programs\Startup]
    iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
    Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    BearShare = C:\Program Files\BearShare\BearShare.exe /m
    AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    DownloadAccelerator = C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    CreateCD50 = C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    vptray = C:\Program Files\NavNT\vptray.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    CloneCDTray = "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    eDonkey2000 = C:\Program Files\eDonkey2000\eDonkey2000.exe -t
    xv_crtl = C:\Program Files\3dhq Tools\v_ctrl.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    AIM = C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    PCHealth Scheduler for Data Collection.job
    Symantec NetDetect.job
    Tune-up Application Start.job
    Uninstall Expiration Reminder.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.82.221.103/133ea0ff6e43defa0223/netzip/RdxIE.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

    [{89122070-4199-11D4-8BAF-0050045B552C}]
    CODEBASE = http://download.rocketpipe.com/bundles/2564.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.5754976852

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/Z4/heartbeat.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{E87A6788-1D0F-4444-8898-1D25829B6755}]
    CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

    [Tukati Launcher]
    InProcServer32 = C:\WINDOWS\System32\TukatiClientInstaller.dll
    CODEBASE = http://3dgamers.tukati.com/tukati/1.6.36.36/tukati.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: \??\C:\WINDOWS\System32\SETA.tmp|!\??\C:\WINDOWS\System32\urlmon.dll||?

    --------------------------------------------------
    End of report, 6,378 bytes
    Report generated in 0.140 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    i couldnt find any source of that worm i guess its cleaned up, but get this message when i run Windows Media player

    "The instruction at "0x591c28e9" referenced memory at "0x521e4e70". The memory could not be "read""
     
  6. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,326
    Thanks steam

    I keep trying to learn about all the bits an' bobs in the Startup lists :)

    siccx_fox: Is that the most uptodate Startup list? Also, could you run HijackThis, and post that? It would make it a bit easier to work on, if they were both together.

    Thanks

    eddie
     
  8. siccx_fox

    siccx_fox Thread Starter

    Joined:
    Aug 4, 2002
    Messages:
    52
    The one right above steamwiz is the most recent.

    Logfile of HijackThis v1.91.2
    Scan saved at 1:22:34 PM, on 2/23/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.yyep.com/search/search05.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [BearShare] C:\Program Files\BearShare\BearShare.exe /m
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
    O4 - HKLM\..\Run: [xv_crtl] C:\Program Files\3dhq Tools\v_ctrl.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.82.221.103/133ea0ff6e43defa0223/netzip/RdxIE.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/2564.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.5754976852
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.36.36/tukati.cab
     
  9. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,326
    Hmmm

    Gonna wait and see if steam can look at the second list, as he may spot things I don't :)

    Also, have you tried to see if the problems happen in SafeMode?

    eddie
     
  10. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.yyep.com/search/search05.html

    Did you set yyep.com up as a search ?

    If not you can delete this one

    Apart from ditching DAP (full of spyware) as pointed out in one of the other threads - and using a different download manager - I don't see anything malicious in there.

    steam
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  12. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Hey guys, there's loads of spyware apps in that list.

    For starters:
    iMesh, Bearshare and eDonkey are all loading at startup :eek:
    These 3 file sharing apps come loaded with Spyware.
    iMesh is a killer! It took me nearly 2 hours to remove all the damage it did to my nephew's comp the other day. And that was with Spybot S&D's assistance!

    DAP and Fresh Download have also added to the spyware woes.

    Between them, these apps are the cause of most, if not all of your troubles.
    Uninstall them ALL !!!

    Then follow the instructions in your other thread to install and run Spybot Search and Destroy.
    Get the Includes/scan updates c/o Online button,
    disable System Internals and Usage Tracking in Settings -> File Sets
    Then go back to Spybot S&D button and click "check for problems"
    When the scan is complete, let Spybot S&D repair everything it auto checkmarks.
    If prompted, let Spybot S&D load after reboot to fix whatever it couldn't fix on first run. After rebooting, it will appear before the Windows GUI, so then run the scan again and leave Spybot to fix everything.
    When it says "congratulations, no spybots found"
    that's when you know you're clean.

    When done, post your startuplist here again please.
    Then we'll advice you of a few other non-spyware related startups that aren't required at bootup, this so we can tweak your overall system performance.

    Trust us and Go for it :)
    Hopefully, it's not too late ;)

    Stick to WinMX for filesharing, and Kazaa-Lite if you must.


    ps. hmmm . . . 2000 posts to become a DM
    I wonder if I'll ever make it, hehe ?! :D
     
  13. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    Hi egg

    I don't have or use a P2P program - consequently I'm not too well up on them - with all that spyware I should be :rolleyes:

    That was a great link I'll have to get some reading done ;)

    Actually I figured seeing as they are installed and he has run spybot etc. the programs are now clean and if they still work with it removed - ok

    Don't get me wrong - I agree with you - don't install them in the first place

    steam
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119572

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice