|
Donations |
|
 |
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
 Posted: Tue Jun 01, 2004 3:00 pm Post subject: hijacked, please help |
|
|
I have been hijacked and now have the "about: blank web browser trying to take over as well as a multitude of pop ups graciously offering to fix the problem. can you check the hijack this log and give me some hints?
Ron
Logfile of HijackThis v1.97.7
Scan saved at 2:16:49 PM, on 6/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\WINUPTIME.EXE
C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WIN2000\GURU.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NEJ.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NEJ.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heartlandmlsweb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NEJ.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heartlandmlsweb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\NEJ.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\NEJ.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\NEJ.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {43138BC1-B311-11D8-9682-0040819B6CAC} - C:\WINDOWS\SYSTEM\NEJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinUptime] C:\WINDOWS\WINUPT~1.EXE
O4 - HKLM\..\Run: [QAGENT] C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Acrobat Assistant.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AD19DD06-EDDC-11D2-8C35-00105A0AE07A} (SearchCriteria.ucSearchCriteria) - http://www.jacksongov.org/RecordsData/SearchCriteria.CAB
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt0_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.game..._0_0_0.ocx
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/p...0.9.14.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...3861342593
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {5D68B82D-C79F-4FFC-83C0-8D0FC794CEF2} (alaWeb.clsGetStats) - file://I:\WIN2000\CONTENT\cabs\alaWeb.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...wmavax.CAB
O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://lawrencemls.risco.net/Paragon/Co...hecker.cab
O16 - DPF: {462274CF-8C50-11D4-9FF6-0080C7C48CC1} (Cviewer Object) - http://www.myglobalcam.com/downloads/mgcx.cab
O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet-5.8.2....assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.1.2...assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.1.28/p...assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.8.3.20...assets.cab
O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-5.8.3.26/cr...assets.cab
Last edited by livingd2d on Tue Jun 01, 2004 3:10 pm, edited 1 time in total |
|
| Back to top |
|
 |
Dylar
Warnings : 1
Trooper
Joined: Jun 01, 2004
Posts: 27
Location: USA
|
| Posted: Tue Jun 01, 2004 3:01 pm Post subject: |
|
|
| It would help if you posted the log. |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Wed Jun 02, 2004 5:44 pm Post subject: |
|
|
I am taking over this thread. Anyone other than livingd2d or Computer Cops Staff please do not post here.
Mosaic1
Download but do not run CWShredder yet.
http://www.spywareinfo.com/downloads/tools/CWShredder.exe
We will use that to clean up after we have found the super hidden file which reinstalls this hijack and removed it.
Download both tools:
http://freeatlast.100free.com/StartDreck.zip
http://freeatlast.100free.com/Win98Fix.zip
Unzip and run StartDrek.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post the log, |
|
| Back to top |
|
|
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
| Posted: Thu Jun 03, 2004 8:05 am Post subject: |
|
|
both of the links for the startdrek and the win98 fix go to a site that has been eliminated apparrently. Any other suggestions where I might find these programs? Thank you for the help!!
Ron |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Thu Jun 03, 2004 3:31 pm Post subject: |
|
|
the problem sems to be intermittent.
Get Start Dreck here:
http://www.niksoft.at/download/frames.h...tdreck.htm
I have uploaded the other.
| Description: |
|
Download |
| Filename: |
Win98Fix.zip |
| Filesize: |
2.06 KB |
| Downloaded: |
34 Time(s) |
|
|
| Back to top |
|
|
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
| Posted: Thu Jun 03, 2004 5:11 pm Post subject: startdrek log |
|
|
| I apologize in advance for being a pain, but I have tried adding the start drek log as an attached file and it is not allowed. with the hijack this log, I merely did a copy and paste. the start drek log will not allow me to copy. Any suggestions? |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Thu Jun 03, 2004 5:22 pm Post subject: |
|
|
| LOL Sorry. It's always something. This stuff has its moments. Rename the log as a txt file by changing the file extension and it will go up for you. |
|
| Back to top |
|
|
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
| Posted: Thu Jun 03, 2004 7:24 pm Post subject: startdrek log |
|
|
Thank you for the help!!
| Description: |
|
Download |
| Filename: |
StartDreck.txt |
| Filesize: |
2.36 KB |
| Downloaded: |
8 Time(s) |
|
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Thu Jun 03, 2004 7:46 pm Post subject: |
|
|
I think you have uploaded the wrong file. That is the readme
We need to see the file it created when you ran Start Dreck
Save the log. Thenoen in notepad. Copy and paste the contents in your next reply.
I have to sign off for a bit.
Like mine:
| Quote: |
StartDreck (build 2.1.5 public BETA) - 2004-06-03 @ 19:44:06
Platform: Windows XP (Win NT 5.1.2600 )
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*AVG_CC=D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=d:\windows\googletoolbar_en_2.0.107-big.dll
»Files
»System/Drivers
»Running Processes
*00000000=
*00000004=
*00000168=\SystemRoot\System32\smss.exe
*000001A8=
*000001C0=\??\D:\WINDOWS\system32\winlogon.exe
*000001EC=D:\WINDOWS\system32\services.exe
*000001F8=D:\WINDOWS\system32\lsass.exe
*00000298=D:\WINDOWS\system32\svchost.exe
*000002B4=D:\WINDOWS\System32\svchost.exe
*00000324=
*00000398=D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
*000003D4=D:\WINDOWS\wanmpsvc.exe
*0000046C=D:\WINDOWS\Explorer.EXE
*00000560=D:\Program Files\Grisoft\AVG6\avgcc32.exe
*000006D8=G:\VB Files\Close Ie Msg\Close IE Message.exe
*000006EC=D:\Program Files\CompuServe 7.0\CompuServe 7.0a\wcs2000.exe
*000007A8=D:\Program Files\Outlook Express\msimn.exe
*000007C4=D:\Program Files\Messenger\msmsgs.exe
*000000D0=D:\Program Files\Internet Explorer\iexplore.exe
*0000065C=D:\Program Files\MSN Messenger\msnmsgr.exe
*00000244=D:\WINDOWS\system32\NOTEPAD.EXE
*0000047C=D:\WINDOWS\system32\NOTEPAD.EXE
*00000260=D:\WINDOWS\system32\NOTEPAD.EXE
*00000630=D:\windows\system32\notepad.exe
*000004B8=D:\WINDOWS\system32\NOTEPAD.EXE
*0000044C=D:\Documents and Settings\Katie\My Documents\textfiles\AppInit Hijacks\StartDreck\StartDreck\StartDreck.exe
»Application specific
|
|
|
| Back to top |
|
|
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
| Posted: Fri Jun 04, 2004 9:24 am Post subject: trying again |
|
|
Sorry, hopefully I can get it right this time.
tartDreck (build 2.1.5 public BETA) - 2004-06-03 @ 16:05:11
Platform: Windows 98 SE (Win 4.10.2222 A)
»Registry
»Run Keys
»Current User
»Run
*WinTOTAL Scheduler=C:\WIN2000\guru.exe
*Yahoo! Pager=C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
*MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
»RunOnce
»Default User
»Run
*WinTOTAL Scheduler=C:\WIN2000\guru.exe
*Yahoo! Pager=C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
*MsnMsgr="c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*NAV Agent=c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
*LoadQM=loadqm.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*Share-to-Web Namespace Daemon=c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
*WinUptime=C:\WINDOWS\WINUPT~1.EXE
*QAGENT=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=c:\Program Files\Norton AntiVirus\NavShExt.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
*{43138BC1-B311-11D8-9682-0040819B6CAC}
`InprocServer32=C:\WINDOWS\SYSTEM\NEJ.DLL
»Files
»System/Drivers
»Running Processes
*FF0F9693=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFD067=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFD85F=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFE31E7=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE89F7=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFEBACF=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE8E0F=C:\WINDOWS\EXPLORER.EXE
*FFFD6F4B=C:\WINDOWS\TASKMON.EXE
*FFFD7F0B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFDAC17=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
*FFFD80EF=C:\WINDOWS\LOADQM.EXE
*FFFDE363=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFFC368F=C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
*FFFC080B=C:\WINDOWS\WINUPTIME.EXE
*FFFC207B=C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
*FFFC8BD3=C:\WIN2000\GURU.EXE
*FFFCEAB7=C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
*FFFB89EB=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
*FFFA1027=C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
*FFFAF7EF=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
*FFFAE47F=C:\WINDOWS\SYSTEM\MRTMNGR.EXE
*FFF9F4DB=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF757B3=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF4D05B=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFF69533=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF41127=C:\MY DOCUMENTS\MY RECEIVED FILES\STARTDRECK.EXE
»Application specific |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Fri Jun 04, 2004 2:10 pm Post subject: |
|
|
That didn't show it unfortunately.
I take it you have tried removing the hijack repeatedly and it has always returned?
I see a file and am not sure what it is. Please find
C:\WINDOWS\WINUPTIME.EXE
there is a Forum here at Computer Cops named Unknown files. If you would go over there and post to upload this, I'll have a look to see if it is connected in any way.
Do you dual boot with win 2k? We may be able to use that to our advantage to find the hidden file. It will be able to see it. |
|
| Back to top |
|
|
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
| Posted: Fri Jun 04, 2004 3:19 pm Post subject: no clues yet! |
|
|
I have tried several times to change the web page. I had a program running called spy sweeper. Someone used my computer and apparrently shut it down. That is when the about blank page showed up. Spy sweeper automatically tried chaning it back and it just kept switching. I even found a hidden program called "unspysweeper" which I removed. I am also dealing with constant pop ups from the same place. the pop ups tell me my computer is infected with adware and they will graciously help me remove it. the address of the pop ups is "vn.msie.tv"
I do not use win 2k, so I'm afraid that's no help either.
Thank you for trying. I will post the unknown name and see what comes of that.
Ron |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Fri Jun 04, 2004 3:20 pm Post subject: |
|
|
I have another idea. I am uploading a batch file in a zip. It's name is findit.bat Extract this file to its own new folder and run it by double clicking on the extracted copy if findit.bat It will search your two registry hives for a certain phrase and then create a file named report.txt in the same folder where you saved and ran findit.bat
This may not work if you run it from within 98. I am not sure. But if you run it from your other Operating system, it will allow it to read the 98 registry. Try it from within 98 first though please. And still no guarantees.
Open report.txt and copy and paste the contents to your next reply here please.
| Description: |
|
Download |
| Filename: |
findit.zip |
| Filesize: |
200 Bytes |
| Downloaded: |
11 Time(s) |
|
|
| Back to top |
|
|
livingd2d
Trooper
Joined: Jun 01, 2004
Posts: 13
Location: USA
|
| Posted: Fri Jun 04, 2004 3:43 pm Post subject: findit.txt |
|
|
here is the results of the findit search. I appreciate your continued patience and time.
---------- C:\Windows\System.dat
Stationery ÿÿÿÿ ( Stationery FolderC:\PROGRA~1\COMMON~1\MICROS~1\Stationery ÿÿÿÿ ( Backgrounds FolderC:\PROGRA~1\COMMON~1\MICROS~1\Stationery ø 5.0e ú W Mail ÿÿÿÿ Welcome Message ÿÿÿÿ Accounts Checked 8 û 8 News ÿÿÿÿ Accounts Checked G ü $ Default Settings j& Revocation Checking : ë � RunOnce c:\w X wextract_cleanup0rundll32.exe C:\WINDOWS\SYSTEM\advpack.dll,DelNodeRunDLL32 "c:\windows\TEMP\IXP000.TMP\"Files\Norton AntiVirus\CustAct.exe252A0-7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Installall am Ó MSTEE.Splitterrundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.InstallgDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.InstallngDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install-7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install0-7E70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install70-11D0-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.Install-A5D6-28DB04C10000},c:\windows\INF\ksfilter.inf,MSTEE.Interface.InstallDOWS\SYSTEM\msdxm.ocx" :\WI @ WMC_2C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\dxmasf.dll"DOWS\SYSTEM\wmpcore.dll" am F ? WMC_1C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\msdxm.ocx" :\WI @ WMC_2C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\dxmasf.dll"M\wmpcore.dll" am F ? WMC_1C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\msdxm.ocx" :\WI @ WMC_2C:\WINDOWS\SYSTEM\regsvr32.exe /s "C:\WINDOWS\SYSTEM\dxmasf.dll" /s " X wextract_cleanup0rundll32.exe C:\WINDOWS\SYSTEM\advpack.dll,DelNodeRunDLL32 "c:\windows\TEMP\IXP000.TMP\"ts\decisiontools\depcalc\bbfdepcalc.ocx"8C:\WINDOWS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"INDOWS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"DOWS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"\WINDOWS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"OWS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"S\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"S\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"S\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"STEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"S\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"WS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"\WINDOWS\SYSTEM\regsvr32 /s "C:\Program Files\Intuit\QuickBooks Pro\components\decisiontools\depcalc\bbfdepcalc.ocx"OWS\SYSTEM\regsvr32 /s "C:\Progra
---------- C:\Windows\User.dat |
|
| Back to top |
|
|
Mosaic1
Site Moderator
Joined: Jan 15, 2004
Posts: 4758
Location: USA
|
| Posted: Fri Jun 04, 2004 4:06 pm Post subject: |
|
|
Sorry, I misread that windows2000. I was just at the unknown files forum. We need you to make a copy of winuptime.exe and upload it there. Thanks.
Let's try one more file. Copy the contents of the quote box to notepad.
Name as look.bat
Save as type all files
Double click on look.bat to run it.
| Quote: |
Find /I "RunServicesOnce" C:\Windows\System.dat >report1.txt
Find /I "RunServicesOnce" C:\Windows\User.dat >>report1.txt |
This will create a file named report1.txt
Please attach report1.txt to your next reply. Use the Reply button and not quick reply. That will allow you to attach the file.
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
