Two Instances of Explorer.exe

Discussion in 'Windows Desktop Systems' started by paul2-0-0-2, Feb 12, 2004.

  1. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Kinda off Topic soz though i'd ask in here instead of makeing a new thread since you posted that Link

    But sometimes i have 2 .explorers in Task Manger Scanned loads of Time NAV2003 and AVG never found any Virus is it normal sometimes to have 2 Running?
     
  2. Tiesto

    Tiesto OSNN Addict

    Messages:
    112
    Well do the have the same name of Explorer.exe, or just similar like Explore.exe or Expl0rer.exe
     
  3. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
  4. Tiesto

    Tiesto OSNN Addict

    Messages:
    112
    Paul: Try running antivirus, Adaware first. If nothing comes up, run HijackThis and paste the log in here. Explorer.exe doesnt ever normally run twice so there is something wrong somewhere.
     
  5. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Couldnt get the new version though dunno if that will make any difrence
    StartupList report, 14/02/2004, 00:53:02
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\program files\microangelo\muamgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Tweak-XP Pro\tranicon.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\winservn.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Ericsson\MOBILE~1\DbgOut.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe
    C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Chandz\Start Menu\Programs\Startup]
    DigiGuide.lnk = C:\Program Files\DigiGuide TV Guide\client00.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    TimerModule = C:\WINDOWS\System32\TimerModule.exe
    Desksite CMA = c:\program files\desksite\bin\cma.exe
    MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    MOD = c:\program files\microangelo\muamgr.exe
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    WinampAgent = C:\Program Files\Winamp\winampa.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    IDMan = C:\Program Files\Internet Download Manager\IDMan.exe /onboot
    TransparentIcons = "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
    Tweak-XP =
    PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
    CursorXP = C:\Program Files\CursorXP\CursorXP.exe
    MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    StatusDP = "C:\DOCUME~1\Chandz\LOCALS~1\Temp\Rar$EX00.859\dpstatus.exe"
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    Uptime-Project = C:\Documents and Settings\Chandz\Desktop\client\client.exe
    ContentService = C:\WINDOWS\System32\winservn.exe
    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    [svchost]
    = c:\windows\system\winlogon.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
    (no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\WINDOWS\System32\IETie.dll - {9527D42F-D666-11D3-B8DD-00600838CD5F}
    (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    (no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

    --------------------------------------------------
     
  6. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [sys Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [iCC Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
    CODEBASE = http://www.pcpitstop.com/internet/pcpConnCheck.cab

    [{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441}]
    CODEBASE = http://fdl.msn.com/public/chat/msnchat41.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
    CODEBASE = http://www.cult3d.com/download/cult.cab

    [EricClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\EricControl.dll
    CODEBASE = http://www.gsmserver.com/info/EricControl.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe

    [Pixami Image Editor Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\BPIMAG~1.OCX
    CODEBASE = http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30

    [{525A15D0-4938-11D4-94C7-0050DA20189B}]
    CODEBASE = http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab

    [{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
    CODEBASE = http://207.188.7.150/26d72d4f2b0237512819/netzip/RdxIE2.cab

    [{5E943D9C-F8DC-4258-8E3F-A61BB3405A33}]
    CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

    [FileSharingCtrl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\fsmsngr_en.dll
    CODEBASE = http://appdirectory.messenger.msn-int.com/AppDirectory/P4Apps/FileSharing/en/fsmsngr_en.dll

    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
    CODEBASE = http://216.249.24.140/code/PWActiveXImgCtl.CAB

    [{6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}]
    CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

    [GSDACtl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
    CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab

    [{7A32634B-029C-4836-A023-528983982A49}]
    CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

    [Flo2_L2 Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\NG03_F~1.OCX
    CODEBASE = http://www.nokiagame.com/games/2K1E4R5Vem5ui1Sw1Wyas/flo2_l2.cab

    [Java Plug-in 1.4.0_03]
    InProcServer32 = C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll

    [InstallShield International Setup Player]
    InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
    CODEBASE = http://www.installengine.com/engine/isetup.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.3919097222

    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

    [WTHoster Class]
    InProcServer32 = C:\WINDOWS\wt\webdriver\wthostctl.dll
    CODEBASE = http://www.wildtangent.com/install/wdriver/sportsgames/nikefootball/nike/wtinst.cab

    [Mophun Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\mophun.ocx
    CODEBASE = http://www.mophun.com/codebase/mophun.cab

    [LiveX(5.3.0.0) Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\LiveX_E.ocx
    CODEBASE = http://canasta.no-ip.com/cab/Live.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}]

    [{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{E87A6788-1D0F-4444-8898-1D25829B6755}]
    CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

    [Yahoo! Companion]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    CODEBASE = http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe


    --------------------------------------------------


    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 12,383 bytes
    Report generated in 0.718 seconds
     
  7. Tiesto

    Tiesto OSNN Addict

    Messages:
    112
    Running Process:

    C:\WINDOWS\system32\slserv.exe

    Kill that, thats not a windows process

    (no name) - C:\WINDOWS\System32\IETie.dll - {9527D42F-D666-11D3-B8DD-00600838CD5F}

    (no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

    Those 2 regkeys dont look familiar, may be malicious.
     
  8. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Thanx

    Found out 2 are fine (Y)

    slserv.exe Aztech Modem Driver

    (no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}


    EDIT

    Download Accelerator Program i use lol which has Spwyare thats what the NTIEHelper.dll is
     
  9. Enyo

    Enyo Moderator

    Messages:
    1,338
    Yes Paul, don't remove those. What does need to be removed however is:

    1)

    Winlogon does not reside in \system and Winlogon does not exist as a run entry.

    Need to isolate the file and check it.

    2)
    ClickSpring Spyware.

    If you could remove those then post a HiJackThis Log using the latest download.

    http://www.webattack.com/get/hijackthis.html
     
  10. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Got rid of winservn with a2/adware yestersday

    c:\windows\system\winlogon.exe Cant find that :confused:

    Tried to get HiJackThis no site seems to be working with the download :eek:
     
  11. Enyo

    Enyo Moderator

    Messages:
    1,338
  12. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Thx got it from

    http://www.softpedia.com/public/cat/10/17/10-17-69.shtml

    They put up some new mirrors which work now
    Code:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:37:54, on 15/02/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\program files\microangelo\muamgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Tweak-XP Pro\tranicon.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\Ericsson\MOBILE~1\DbgOut.exe
    C:\Program Files\Messenger\Msmsgs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe
    
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html[/url]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CHAND
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
    O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\system32\3DNATO~1.DLL
    O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing)
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    O4 - HKLM\..\Run: [TimerModule] C:\WINDOWS\System32\TimerModule.exe
    O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    O4 - HKLM\..\Run: [MOD] c:\program files\microangelo\muamgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
     
  13. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Code:
    /STARTUP
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
    O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
    O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [StatusDP] "C:\DOCUME~1\Chandz\LOCALS~1\Temp\Rar$EX00.859\dpstatus.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Uptime-Project] C:\Documents and Settings\Chandz\Desktop\client\client.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide TV Guide\client00.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Convert and Open - C:\PROGRA~1\Camtech\CONVER~1\ConvertIt.htm
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
    O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
    O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
    O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
    O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Get Flash by &Arty Flash Ripper - C:\Program Files\Softdigger\FlashRipper\IEMenu.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: GhostSurf Privacy Center (HKLM)
    O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potc_x.cab[/url]
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - [url]http://www.pcpitstop.com/internet/pcpConnCheck.cab[/url]
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - [url]http://fdl.msn.com/public/chat/msnchat41.cab[/url]
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[/url]
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst.cab[/url]
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - [url]http://www.cult3d.com/download/cult.cab[/url]
    O16 - DPF: {405B09E4-BBDA-4564-989E-15DE26B416EA} (EricClient Class) - [url]http://www.gsmserver.com/info/EricControl.cab[/url]
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe[/url]
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - [url]http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30[/url]
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - [url]http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab[/url]
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - [url]http://207.188.7.150/26d72d4f2b0237512819/netzip/RdxIE2.cab[/url]
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - [url]http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802[/url]
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - [url]http://appdirectory.messenger.msn-int.com/AppDirectory/P4Apps/FileSharing/en/fsmsngr_en.dll[/url]
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.140/code/PWActiveXImgCtl.CAB[/url]
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - [url]http://www.gigex.com/tv/igor/gigexagent.dll[/url]
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab[/url]
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - [url]http://fdl.msn.com/public/chat/msnchat42.cab[/url]
    O16 - DPF: {83B67220-025C-416C-8049-398E12764B36} (Flo2_L2 Control) - [url]http://www.nokiagame.com/games/2K1E4R5Vem5ui1Sw1Wyas/flo2_l2.cab[/url]
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) - 
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as/asinst.cab[/url]
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.3919097222[/url]
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll[/url]
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - [url]http://www.wildtangent.com/install/wdriver/sportsgames/nikefootball/nike/wtinst.cab[/url]
    O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - [url]http://www.mophun.com/codebase/mophun.cab[/url]
    O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - [url]http://canasta.no-ip.com/cab/Live.cab[/url]
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/url]
    O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) - 
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) - 
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - [url]http://fdl.msn.com/public/chat/msnchat4.cab[/url]
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab[/url]
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url]http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
     
  14. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Code:
    StartupList report, 15/02/2004, 11:46:17
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================
    
    Running processes:
    
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    C:\program files\microangelo\muamgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Tweak-XP Pro\tranicon.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\Ericsson\MOBILE~1\DbgOut.exe
    C:\Program Files\Messenger\Msmsgs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe
    
    --------------------------------------------------
    
    Listing of startup folders:
    
    Shell folders Startup:
    [C:\Documents and Settings\Chandz\Start Menu\Programs\Startup]
    DigiGuide.lnk = C:\Program Files\DigiGuide TV Guide\client00.exe
    
    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    
    --------------------------------------------------
    
    
     
  15. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Code:
    Checking Windows NT UserInit:
    
    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,
    
    --------------------------------------------------
    
    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    
    CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
    TimerModule = C:\WINDOWS\System32\TimerModule.exe
    Desksite CMA = c:\program files\desksite\bin\cma.exe
    MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
    MOD = c:\program files\microangelo\muamgr.exe
    NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
    AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    WinampAgent = C:\Program Files\Winamp\winampa.exe
    PestPatrol Control Center = C:\Program Files\PestPatrol\PPControl.exe
    PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    
    --------------------------------------------------
    
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    
    IDMan = C:\Program Files\Internet Download Manager\IDMan.exe /onboot
    TransparentIcons = "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
    Tweak-XP = 
    PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
    CursorXP = C:\Program Files\CursorXP\CursorXP.exe
    MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    StatusDP = "C:\DOCUME~1\Chandz\LOCALS~1\Temp\Rar$EX00.859\dpstatus.exe"
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    Uptime-Project = C:\Documents and Settings\Chandz\Desktop\client\client.exe
    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    
    --------------------------------------------------
    
    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    
    [svchost]
     = c:\windows\system\winlogon.exe
    
    --------------------------------------------------
    
    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
    
    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*
    
    Shell & screensaver key from Registry:
    
    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*
    
    Policies Shell key:
    
    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*
    
    --------------------------------------------------
    
    
    Enumerating Browser Helper Objects:
    
    (no name) - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
    (no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    (no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}
    
    --------------------------------------------------
    
    Enumerating Task Scheduler jobs:
    
    Symantec NetDetect.job
    
    --------------------------------------------------
    
    Enumerating Download Program Files:
    
    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
    CODEBASE = [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
    
    [sys Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
    CODEBASE = [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
    
    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
    
    [iCC Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
    CODEBASE = [url]http://www.pcpitstop.com/internet/pcpConnCheck.cab[/url]
    
    [{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441}]
    CODEBASE = [url]http://fdl.msn.com/public/chat/msnchat41.cab[/url]
    
    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = [url]http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[/url]
    
    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = [url]http://download.yahoo.com/dl/installs/yinst.cab[/url]
    
    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
    CODEBASE = [url]http://www.cult3d.com/download/cult.cab[/url]
    
    [EricClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\EricControl.dll
    CODEBASE = [url]http://www.gsmserver.com/info/EricControl.cab[/url]
    
    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = [url]http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe[/url]
    
    [Pixami Image Editor Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\BPIMAG~1.OCX
    CODEBASE = [url]http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30[/url]
    
    [{525A15D0-4938-11D4-94C7-0050DA20189B}]
    CODEBASE = [url]http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab[/url]
    
    [{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
    CODEBASE = [url]http://207.188.7.150/26d72d4f2b0237512819/netzip/RdxIE2.cab[/url]
    
    [{5E943D9C-F8DC-4258-8E3F-A61BB3405A33}]
    CODEBASE = [url]http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802[/url]
    
    [FileSharingCtrl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\fsmsngr_en.dll
    CODEBASE = [url]http://appdirectory.messenger.msn-int.com/AppDirectory/P4Apps/FileSharing/en/fsmsngr_en.dll[/url]
    
    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
    CODEBASE = [url]http://216.249.24.140/code/PWActiveXImgCtl.CAB[/url]
    
    [{6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}]
    CODEBASE = [url]http://www.gigex.com/tv/igor/gigexagent.dll[/url]
    
    [GSDACtl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
    CODEBASE = [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]
    
    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = [url]http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab[/url]
    
    [{7A32634B-029C-4836-A023-528983982A49}]
    CODEBASE = [url]http://fdl.msn.com/public/chat/msnchat42.cab[/url]
    
    [Flo2_L2 Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\NG03_F~1.OCX
    CODEBASE = [url]http://www.nokiagame.com/games/2K1E4R5Vem5ui1Sw1Wyas/flo2_l2.cab[/url]
    
    [Java Plug-in 1.4.0_03]
    InProcServer32 = C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll
    
    [InstallShield International Setup Player]
    InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
    CODEBASE = [url]http://www.installengine.com/engine/isetup.cab[/url]
    
    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
    CODEBASE = [url]http://www.pandasoftware.com/activescan/as/asinst.cab[/url]
    
    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.3919097222[/url]
    
    [YahooYMailTo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
    CODEBASE = [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll[/url]
    
    [WTHoster Class]
    InProcServer32 = C:\WINDOWS\wt\webdriver\wthostctl.dll
    CODEBASE = [url]http://www.wildtangent.com/install/wdriver/sportsgames/nikefootball/nike/wtinst.cab[/url]
    
    [Mophun Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\mophun.ocx
    CODEBASE = [url]http://www.mophun.com/codebase/mophun.cab[/url]
    
    [LiveX(5.3.0.0) Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\LiveX_E.ocx
    CODEBASE = [url]http://canasta.no-ip.com/cab/Live.cab[/url]
    
    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = [url]http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/url]
    
    [{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}]
    
    [{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]
    
    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
    
    [{E87A6788-1D0F-4444-8898-1D25829B6755}]
    CODEBASE = [url]http://fdl.msn.com/public/chat/msnchat4.cab[/url]
    
    [Yahoo! Companion]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    CODEBASE = [url]http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab[/url]
    
    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = [url]http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
    
    --------------------------------------------------
    
    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*
    
    Windows NT checkdisk command:
    BootExecute = autocheck autochk *
    
    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: c:\windows\system32\winservn.exe||c:\documents and settings\chandz\cookies\chandz@netshelter.adtrix[2].txt
    
    
    --------------------------------------------------
    
    Enumerating ShellServiceObjectDelayLoad items:
    
    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    
    --------------------------------------------------
    End of report, 11,968 bytes
    Report generated in 0.062 seconds
    
    
     
  16. Enyo

    Enyo Moderator

    Messages:
    1,338
    Moderation - Thread Split

    From the Startup List log:

    Windows NT 'Wininit.ini':

    PendingFileRenameOperations: c:\windows\system32\winservn.exe||c:\documents and settings\chandz\cookies\chandz@netshelter.adtrix[2].txt

    Remove that, its left over from when you removed winservn.exe.
     
  17. yoyo

    yoyo _________________

    Messages:
    1,557
    Regarding the two instances of Explorer.exe, look in Folder Options - View - Advanced Settings. Likely you have "Launch folder windows in a seperate process" checked. Means the shell and the file manager functions of explorer each run in its own process. Nothing to worry about.
     
  18. paul2-0-0-2

    paul2-0-0-2 Moderator

    Messages:
    979
    Thanx Enyo (Y) :)

    Checked ports on 2 sites in the list and both passed :)

    Yes yoyo thats checked thx just asked to be on the safe side when i saw the other thread
     
  19. o0RaidR0o

    o0RaidR0o OSNN Addict

    Messages:
    119
    Location:
    S.E. Florida
    YoYo hit he nail on its perverbial head :) I too run "Folders in a Seperate Process" and often have 2 explorer's running. Winlogon resides in \system32.