Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
108 Posts
Discussion Starter · #1 ·
I think i've opened MS dos prompt somehow, as after every boot up i get a small black screen with win.com on it. I may have done this whilst playing with Run/command.

In the properties of the win.com screen that appears, I have ticked the "turn off after exit feature", but I can still see it flash after reboot. How can I turn off the dos prompt properly?

Thanks in advance
 

·
Registered
Joined
·
4,699 Posts
At the DOS prompt type exit. That should close the DOS window and you should not get it on the next reboot.
 

·
Registered
Joined
·
45,855 Posts
http://www.spywareinfo.com/~merijn/downloads.html

Unzip HijackThis to a permanent folder. Run it and select the following options:

Config > Misc Tools > Generate StartupList

Copy/paste the Startuplist (not the Scanlog) to a reply here.

Likely there is something in your autoexec.bat file trying to load win.com which normally you would not see. But the startuplist will show other locations as well.
 

·
Registered
Joined
·
108 Posts
Discussion Starter · #5 ·
Rog here is my startup list

StartupList report, 09/04/2004, 20:10:20
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
TaskMonitor = C:\WINDOWS\taskmon.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
LoadQM = loadqm.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
SchedulingAgent = mstask.exe
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WEBCAMRT.EXE =
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr;C:\WINDOWS\hpfsched.vbs;C:\WINDOWS\COMMAND\hpfsched.bat;C:\WINDOWS\COMMAND\hpfsched.exe;C:\WINDOWS\COMMAND\hpfsched.com;C:\WINDOWS\COMMAND\hpfsched.scr;C:\WINDOWS\COMMAND\hpfsched.vbs;C:\WINDOWS\SYSTEM\hpfsched.bat;C:\WINDOWS\SYSTEM\hpfsched.exe;C:\WINDOWS\SYSTEM\hpfsched.com;C:\WINDOWS\SYSTEM\hpfsched.scr;C:\WINDOWS\SYSTEM\hpfsched.vbs

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/4/2004, 15:4:24)

[Rename]
NUL=C:\WINDOWS\INTERN~1\IAMDB.RDB
C:\WINDOWS\INTERN~1\IAMDB.RDB=C:\_RESTORE\EXTRACT\A0000040.CPY
C:\WINDOWS\powerpnt.ini=C:\_RESTORE\EXTRACT\powerpnt.ini
C:\WINDOWS\wavemix.ini=C:\_RESTORE\EXTRACT\wavemix.ini
C:\WINDOWS\tasks\desktop.ini=C:\_RESTORE\EXTRACT\desktop.ini
C:\WINDOWS\win.ini=C:\_RESTORE\EXTRACT\win.ini
C:\WINDOWS\system.ini=C:\_RESTORE\EXTRACT\system.ini
C:\WINDOWS\USER.DAT=C:\_RESTORE\EXTRACT\USER.DAT
C:\WINDOWS\SYSTEM.DAT=C:\_RESTORE\EXTRACT\SYSTEM.DAT
C:\WINDOWS\CLASSES.DAT=C:\_RESTORE\EXTRACT\CLASSES.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
SpywareGuard Download Protection - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Video Reminder.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.3279166667

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\OPUC.DLL
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,918 bytes
Report generated in 0.033 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

·
Registered
Joined
·
45,855 Posts
Well I don't see the problem there. Since you have WinME autoexec.bat wouldn't be processed in the same way as 9x anyway.

While it's not the source of this issue you sure have a ton of hp stuff being run out of win.ini. I really doubt any of it is necessary. You could use msconfig to uncheck that run= line.

I have a sneaking suspicion that this issue may be the result of a hack to enable DOS in WinME. I don't know how to undo it if it is, but since this seems to be a relatively recent issue -- why not try a WinME System Restore to see if that will resolve it?

Another possibly anomaly is I'm not seeing a file associated with this registry entry:

WEBCAMRT.EXE =

Does it show up if you run msconfig and look under startups?

And you might want to try a "clean" boot to see if anything at all in these startups is involved:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q267288
 

·
Registered
Joined
·
867 Posts
This don't look right to me.

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\hpfsched.scr;C:\WINDOWS\hpfsched.vbs;C:\WINDOWS\COMMAND\hpfsched.bat;C:\WINDOWS\COMMAND\hpfsched.exe;C:\WINDOWS\COMMAND\hpfsched.com;C:\WINDOWS\COMMAND\hpfsched.scr;C:\WINDOWS\COMMAND\hpfsched.vbs;C:\WINDOWS\SYSTEM\hpfsched.bat;C:\WINDOWS\SYSTEM\hpfsched.exe;C:\WINDOWS\SYSTEM\hpfsched.com;C:\WINDOWS\SYSTEM\hpfsched.scr;C:\WINDOWS\SYSTEM\hpfsched.vbs

It normally looks like this

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=


If you have a HP printer, it looks like this.

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched.exe


Read http://www.computercops.biz/postt27866.html and http://www.computing.net/security/wwwboard/forum/10358.html
 

·
Registered
Joined
·
108 Posts
Discussion Starter · #9 ·
trend micro reported this...

Incident Status Location

Trj/ClassLoader.B Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[GetAccess.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[InsecureClassLoader.class]
Trj/Downloader.CL Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6913bb6c-1947e6ca.zip[Installer.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[BB.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[Dummy.class]
Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count4.jar-5da93a97-5a9a4a1e.zip[VerifierBug.class]
JV/BlueScreen Not modifyable C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\bluescreen.class-27378c03-61af726a.class
 

·
Registered
Joined
·
108 Posts
Discussion Starter · #10 ·
This malware is a component of a malicious Java archive file (JAR) that resides in the infected Web site that JS_FORTNIGHT.B redirects users to. The malware simply calls and executes another malware, JAVA_JJBLACK.C, which results to modifications in browser and registry settings of the infected system.

This is Trend Micro's detection for JAVA classes that exploit a known vulnerability in Microsoft Virtual Machine in Windows Operating Systems and Internet Explorer. This flaw allows malicious users to execute codes of his or her choice when a user visits an infected Web site.

To know more of this vulnerability, how to determine a vulnerable system, and how to install security patches, continue reading on Microsoft’s Web site at this link:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

Solution:

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

Close all Internet Explorer windows.
Open Control Panel. Click Start>Settings>Control Panel
Double-click the Internet Options icon.
In the Internet Properties window, click the Programs tab.
Click the “Reset Web Settings…” button.
Select “Also reset my home page.” Click Yes.
Click OK.
Changing the Signature of Microsoft Outlook Express

This procedure restores the signature of Microsoft Outlook Express.

Open Microsoft Outlook Express.
Click on Tools>Options. Click on the Signature Tab.
If the file chosen in the File text box below is equal to “s.htm” or some other undesired file, delete the entry in the textbox.
Click OK.
Additional Windows ME/XP Cleaning Instructions ...

Right-click the My Computer icon on the Desktop and click Properties.
Click the Performance tab.
Click the File System button.
Click the Troubleshooting tab.
Select Disable System Restore.
Click Apply > Close > Close.
When prompted to restart, click Yes.
Press F8 while the system restarts.
Choose Safe Mode then hit the Enter key.
After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted.
Re-enable System Restore by clearing Disable System Restore and restarting your system normally.

""After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted. "" do they meen scan clean with trend micro or with another programme? and how do i delete _restore folder?
 

·
Registered
Joined
·
108 Posts
Discussion Starter · #15 ·
I'v just noticed something on the first boot screen with the copyright on it...it say "trend chipaway virus (R) on guard version 1.64" do you know what that is Rog
 

·
Registered
Joined
·
867 Posts
Trend-chipaway virus[R] on Guard Ver1.1.64 is the virus protect most likely used by your Motherboard/Bios vender.

You have the option to enable or disable it in the Bios.

http://www.trendmicro.com/en/about/news/pr/archive/1998/pr050698.htm

http://www.trendmicro.com/en/about/news/pr/archive/1999/pr062199.htm

http://www.felgall.com/prog15.htm

To disable, startup in CMOS or BIOS

Usually done by pressing the "DEL" key a few seconds after turning on the computer.

Locate the "Virus Scanning" feature.

For machines with AMI BIOS, this is under the "Advanced" menu heading. For machines with Award BIOS, check the "Anti Virus Protection" heading.

Locate "Trend ChipAway Virus" or "Anti-virus" option and change or toggle its setting to "Disable".

Without making any further configuration changes, save the new settings and restart the computer."
 

·
Registered
Joined
·
108 Posts
Discussion Starter · #17 ·
Thanks for that info VirtualMe
i'm off out now so will do it later today.

...and Rog, that clean boot looked a bit to much for my brain. so I ran cwshredder and it got rid of that black screen....and all seems fine...I hope

cheers chaps

Flexi 0
Techguys 4
 

·
Registered
Joined
·
108 Posts
Discussion Starter · #19 ·
Hows my log looking now...

Logfile of HijackThis v1.97.7
Scan saved at 11:02:19, on 12/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPFSTSC0.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HI JACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp?Ath=f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.3279166667
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top