Two Instances of Explorer.exe

paul2-0-0-2

OSNN Senior Addict
#1
Kinda off Topic soz though i'd ask in here instead of makeing a new thread since you posted that Link

But sometimes i have 2 .explorers in Task Manger Scanned loads of Time NAV2003 and AVG never found any Virus is it normal sometimes to have 2 Running?
 
#4
Paul: Try running antivirus, Adaware first. If nothing comes up, run HijackThis and paste the log in here. Explorer.exe doesnt ever normally run twice so there is something wrong somewhere.
 

paul2-0-0-2

OSNN Senior Addict
#5
Couldnt get the new version though dunno if that will make any difrence
StartupList report, 14/02/2004, 00:53:02
StartupList version: 1.52
Started from : C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\program files\microangelo\muamgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Tweak-XP Pro\tranicon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Ericsson\MOBILE~1\DbgOut.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe
C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Chandz\Start Menu\Programs\Startup]
DigiGuide.lnk = C:\Program Files\DigiGuide TV Guide\client00.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
TimerModule = C:\WINDOWS\System32\TimerModule.exe
Desksite CMA = c:\program files\desksite\bin\cma.exe
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
MOD = c:\program files\microangelo\muamgr.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
WinampAgent = C:\Program Files\Winamp\winampa.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

IDMan = C:\Program Files\Internet Download Manager\IDMan.exe /onboot
TransparentIcons = "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
Tweak-XP =
PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
CursorXP = C:\Program Files\CursorXP\CursorXP.exe
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
StatusDP = "C:\DOCUME~1\Chandz\LOCALS~1\Temp\Rar$EX00.859\dpstatus.exe"
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
Uptime-Project = C:\Documents and Settings\Chandz\Desktop\client\client.exe
ContentService = C:\WINDOWS\System32\winservn.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[svchost]
= c:\windows\system\winlogon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINDOWS\System32\IETie.dll - {9527D42F-D666-11D3-B8DD-00600838CD5F}
(no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------
 

paul2-0-0-2

OSNN Senior Addict
#6
Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[iCC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
CODEBASE = http://www.pcpitstop.com/internet/pcpConnCheck.cab

[{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat41.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Cult3D ActiveX Player]
InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
CODEBASE = http://www.cult3d.com/download/cult.cab

[EricClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EricControl.dll
CODEBASE = http://www.gsmserver.com/info/EricControl.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe

[Pixami Image Editor Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BPIMAG~1.OCX
CODEBASE = http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30

[{525A15D0-4938-11D4-94C7-0050DA20189B}]
CODEBASE = http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://207.188.7.150/26d72d4f2b0237512819/netzip/RdxIE2.cab

[{5E943D9C-F8DC-4258-8E3F-A61BB3405A33}]
CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

[FileSharingCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fsmsngr_en.dll
CODEBASE = http://appdirectory.messenger.msn-int.com/AppDirectory/P4Apps/FileSharing/en/fsmsngr_en.dll

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.140/code/PWActiveXImgCtl.CAB

[{6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}]
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab

[{7A32634B-029C-4836-A023-528983982A49}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[Flo2_L2 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NG03_F~1.OCX
CODEBASE = http://www.nokiagame.com/games/2K1E4R5Vem5ui1Sw1Wyas/flo2_l2.cab

[Java Plug-in 1.4.0_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll

[InstallShield International Setup Player]
InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
CODEBASE = http://www.installengine.com/engine/isetup.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.3919097222

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

[WTHoster Class]
InProcServer32 = C:\WINDOWS\wt\webdriver\wthostctl.dll
CODEBASE = http://www.wildtangent.com/install/wdriver/sportsgames/nikefootball/nike/wtinst.cab

[Mophun Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\mophun.ocx
CODEBASE = http://www.mophun.com/codebase/mophun.cab

[LiveX(5.3.0.0) Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LiveX_E.ocx
CODEBASE = http://canasta.no-ip.com/cab/Live.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{E87A6788-1D0F-4444-8898-1D25829B6755}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

[Yahoo! Companion]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
CODEBASE = http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\~f51e43.tmp||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe||C:\DOCUME~1\Chandz\LOCALS~1\Temp\irsetup.exe


--------------------------------------------------


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 12,383 bytes
Report generated in 0.718 seconds
 
#7
Running Process:

C:\WINDOWS\system32\slserv.exe

Kill that, thats not a windows process

(no name) - C:\WINDOWS\System32\IETie.dll - {9527D42F-D666-11D3-B8DD-00600838CD5F}

(no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

Those 2 regkeys dont look familiar, may be malicious.
 

paul2-0-0-2

OSNN Senior Addict
#8
Tiesto said:
Running Process:

C:\WINDOWS\system32\slserv.exe

Kill that, thats not a windows process

(no name) - C:\WINDOWS\System32\IETie.dll - {9527D42F-D666-11D3-B8DD-00600838CD5F}

(no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

Those 2 regkeys dont look familiar, may be malicious.
Thanx

Found out 2 are fine (Y)

slserv.exe Aztech Modem Driver

(no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}


EDIT

Download Accelerator Program i use lol which has Spwyare thats what the NTIEHelper.dll is
 

Enyo

OSNN Veteran Addict
#9
Yes Paul, don't remove those. What does need to be removed however is:

1)

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[svchost]
= c:\windows\system\winlogon.exe
Winlogon does not reside in \system and Winlogon does not exist as a run entry.

Need to isolate the file and check it.

2)
ContentService = C:\WINDOWS\System32\winservn.exe
ClickSpring Spyware.

If you could remove those then post a HiJackThis Log using the latest download.

http://www.webattack.com/get/hijackthis.html
 

paul2-0-0-2

OSNN Senior Addict
#10
Got rid of winservn with a2/adware yestersday

c:\windows\system\winlogon.exe Cant find that :confused:

Tried to get HiJackThis no site seems to be working with the download :eek:
 

paul2-0-0-2

OSNN Senior Addict
#12
Thx got it from

http://www.softpedia.com/public/cat/10/17/10-17-69.shtml

They put up some new mirrors which work now
Code:
Logfile of HijackThis v1.97.7
Scan saved at 11:37:54, on 15/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\program files\microangelo\muamgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Tweak-XP Pro\tranicon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ericsson\MOBILE~1\DbgOut.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CHAND
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\Net Transport\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\MSDXM.OCX
O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\system32\3DNATO~1.DLL
O3 - Toolbar: Find - {8D029AEC-E412-4948-84B5-699A740946AE} - %SystemRoot%\System32\iefind.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [TimerModule] C:\WINDOWS\System32\TimerModule.exe
O4 - HKLM\..\Run: [Desksite CMA] c:\program files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [MOD] c:\program files\microangelo\muamgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
 

paul2-0-0-2

OSNN Senior Addict
#13
Code:
/STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [TransparentIcons] "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [StatusDP] "C:\DOCUME~1\Chandz\LOCALS~1\Temp\Rar$EX00.859\dpstatus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Uptime-Project] C:\Documents and Settings\Chandz\Desktop\client\client.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide TV Guide\client00.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Convert and Open - C:\PROGRA~1\Camtech\CONVER~1\ConvertIt.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\PROGRA~1\Xi\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Get Flash by &Arty Flash Ripper - C:\Program Files\Softdigger\FlashRipper\IEMenu.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/potc_x.cab[/url]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - [url]http://www.pcpitstop.com/internet/pcpConnCheck.cab[/url]
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - [url]http://fdl.msn.com/public/chat/msnchat41.cab[/url]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [url]http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://download.yahoo.com/dl/installs/yinst.cab[/url]
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - [url]http://www.cult3d.com/download/cult.cab[/url]
O16 - DPF: {405B09E4-BBDA-4564-989E-15DE26B416EA} (EricClient Class) - [url]http://www.gsmserver.com/info/EricControl.cab[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - [url]http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30[/url]
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - [url]http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - [url]http://207.188.7.150/26d72d4f2b0237512819/netzip/RdxIE2.cab[/url]
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - [url]http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802[/url]
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - [url]http://appdirectory.messenger.msn-int.com/AppDirectory/P4Apps/FileSharing/en/fsmsngr_en.dll[/url]
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.140/code/PWActiveXImgCtl.CAB[/url]
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - [url]http://www.gigex.com/tv/igor/gigexagent.dll[/url]
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - [url]http://fdl.msn.com/public/chat/msnchat42.cab[/url]
O16 - DPF: {83B67220-025C-416C-8049-398E12764B36} (Flo2_L2 Control) - [url]http://www.nokiagame.com/games/2K1E4R5Vem5ui1Sw1Wyas/flo2_l2.cab[/url]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) - 
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as/asinst.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.3919097222[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll[/url]
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - [url]http://www.wildtangent.com/install/wdriver/sportsgames/nikefootball/nike/wtinst.cab[/url]
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - [url]http://www.mophun.com/codebase/mophun.cab[/url]
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.3.0.0) Control) - [url]http://canasta.no-ip.com/cab/Live.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_02) - 
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - [url]http://fdl.msn.com/public/chat/msnchat4.cab[/url]
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - [url]http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab[/url]
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - [url]http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx[/url]
 

paul2-0-0-2

OSNN Senior Addict
#14
Code:
StartupList report, 15/02/2004, 11:46:17
StartupList version: 1.52
Started from : C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\program files\microangelo\muamgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Tweak-XP Pro\tranicon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Ericsson\MOBILE~1\DbgOut.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Chandz\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Chandz\Start Menu\Programs\Startup]
DigiGuide.lnk = C:\Program Files\DigiGuide TV Guide\client00.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------
 

paul2-0-0-2

OSNN Senior Addict
#15
Code:
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
TimerModule = C:\WINDOWS\System32\TimerModule.exe
Desksite CMA = c:\program files\desksite\bin\cma.exe
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
MOD = c:\program files\microangelo\muamgr.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
WinampAgent = C:\Program Files\Winamp\winampa.exe
PestPatrol Control Center = C:\Program Files\PestPatrol\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

IDMan = C:\Program Files\Internet Download Manager\IDMan.exe /onboot
TransparentIcons = "C:\Program Files\Tweak-XP Pro\tranicon.exe" -ex
Tweak-XP = 
PicoZip = C:\PROGRA~1\PicoZip\PicoZipTray.exe
CursorXP = C:\Program Files\CursorXP\CursorXP.exe
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
StatusDP = "C:\DOCUME~1\Chandz\LOCALS~1\Temp\Rar$EX00.859\dpstatus.exe"
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
Uptime-Project = C:\Documents and Settings\Chandz\Desktop\client\client.exe
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[svchost]
 = c:\windows\system\winlogon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Xi\Net Transport\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
CODEBASE = [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]

[iCC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
CODEBASE = [url]http://www.pcpitstop.com/internet/pcpConnCheck.cab[/url]

[{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441}]
CODEBASE = [url]http://fdl.msn.com/public/chat/msnchat41.cab[/url]

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = [url]http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[/url]

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = [url]http://download.yahoo.com/dl/installs/yinst.cab[/url]

[Cult3D ActiveX Player]
InProcServer32 = C:\WINDOWS\System32\Cult3D\IECult.dll
CODEBASE = [url]http://www.cult3d.com/download/cult.cab[/url]

[EricClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\EricControl.dll
CODEBASE = [url]http://www.gsmserver.com/info/EricControl.cab[/url]

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = [url]http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe[/url]

[Pixami Image Editor Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BPIMAG~1.OCX
CODEBASE = [url]http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30[/url]

[{525A15D0-4938-11D4-94C7-0050DA20189B}]
CODEBASE = [url]http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab[/url]

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = [url]http://207.188.7.150/26d72d4f2b0237512819/netzip/RdxIE2.cab[/url]

[{5E943D9C-F8DC-4258-8E3F-A61BB3405A33}]
CODEBASE = [url]http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802[/url]

[FileSharingCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\fsmsngr_en.dll
CODEBASE = [url]http://appdirectory.messenger.msn-int.com/AppDirectory/P4Apps/FileSharing/en/fsmsngr_en.dll[/url]

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = [url]http://216.249.24.140/code/PWActiveXImgCtl.CAB[/url]

[{6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}]
CODEBASE = [url]http://www.gigex.com/tv/igor/gigexagent.dll[/url]

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = [url]http://launch.gamespyarcade.com/software/launch/alaunch.cab[/url]

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = [url]http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab[/url]

[{7A32634B-029C-4836-A023-528983982A49}]
CODEBASE = [url]http://fdl.msn.com/public/chat/msnchat42.cab[/url]

[Flo2_L2 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\NG03_F~1.OCX
CODEBASE = [url]http://www.nokiagame.com/games/2K1E4R5Vem5ui1Sw1Wyas/flo2_l2.cab[/url]

[Java Plug-in 1.4.0_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.0_03\bin\npjpi140_03.dll

[InstallShield International Setup Player]
InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
CODEBASE = [url]http://www.installengine.com/engine/isetup.cab[/url]

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = [url]http://www.pandasoftware.com/activescan/as/asinst.cab[/url]

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37616.3919097222[/url]

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll[/url]

[WTHoster Class]
InProcServer32 = C:\WINDOWS\wt\webdriver\wthostctl.dll
CODEBASE = [url]http://www.wildtangent.com/install/wdriver/sportsgames/nikefootball/nike/wtinst.cab[/url]

[Mophun Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\mophun.ocx
CODEBASE = [url]http://www.mophun.com/codebase/mophun.cab[/url]

[LiveX(5.3.0.0) Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LiveX_E.ocx
CODEBASE = [url]http://canasta.no-ip.com/cab/Live.cab[/url]

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = [url]http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/url]

[{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}]

[{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

[{E87A6788-1D0F-4444-8898-1D25829B6755}]
CODEBASE = [url]http://fdl.msn.com/public/chat/msnchat4.cab[/url]

[Yahoo! Companion]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
CODEBASE = [url]http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab[/url]

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = [url]http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx[/url]

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\windows\system32\winservn.exe||c:\documents and settings\chandz\cookies\chandz@netshelter.adtrix[2].txt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 11,968 bytes
Report generated in 0.062 seconds
 

Enyo

OSNN Veteran Addict
#16
Moderation - Thread Split

From the Startup List log:

Windows NT 'Wininit.ini':

PendingFileRenameOperations: c:\windows\system32\winservn.exe||c:\documents and settings\chandz\cookies\chandz@netshelter.adtrix[2].txt

Remove that, its left over from when you removed winservn.exe.
 

yoyo

_________________
#17
Regarding the two instances of Explorer.exe, look in Folder Options - View - Advanced Settings. Likely you have "Launch folder windows in a seperate process" checked. Means the shell and the file manager functions of explorer each run in its own process. Nothing to worry about.
 

paul2-0-0-2

OSNN Senior Addict
#18
Thanx Enyo (Y) :)

Checked ports on 2 sites in the list and both passed :)

Yes yoyo thats checked thx just asked to be on the safe side when i saw the other thread
 
#19
paul2-0-0-2 said:
Thanx Enyo (Y) :)

Checked ports on 2 sites in the list and both passed :)

Yes yoyo thats checked thx just asked to be on the safe side when i saw the other thread
YoYo hit he nail on its perverbial head :) I too run "Folders in a Seperate Process" and often have 2 explorer's running. Winlogon resides in \system32.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,971
Messages
673,300
Members
89,016
Latest member
Poseeut