# Missing Files and Folders



## miss_susan (Sep 28, 2002)

Two days ago I discovered that in My Documents most of my files and folders have been wiped out. These were graphics and song files and also quite a few pages of java script code I had accumulated over the past two months for my websites. I have Norton Anti-Virus installed and kept up to date so I am doubtful that this is the nasty work of some virus.
Before I discovered the missing files I was given a tip by a co-worker friend of mine to visit a website which I believe is called .cracks.xx -I am sure you have heard of it. I downloaded a program that was unusable and when I tried to open it up my System folder opened up?
Do you think this has something to do with it? Now I am wondering if it is the work of some hacker??? Any feedback is welcome.
Thank You
Susan

Removed the link, that's one nasty little web site, pop up hell, ended up having to kill ie to get out


----------



## brianF (Dec 2, 1999)

moving to security, seems to be more appropriate in that forum


----------



## ddraigcoch (Mar 3, 2001)

I would suggest doing a full AV scan using lates definitions and using a stand alone Trojan scanner, like TDS3 from http://www.diamondcs.com.au

If this doesn't reap any results, then go to http://www.lurkhere.com/~nicefiles/ and download Start Up List. Double click to execute then copy and paste the log contents for us to ascertain what's running at start up.


----------



## miss_susan (Sep 28, 2002)

Thank you so much for your help. I followed your instructions and went to the TDS site and was informed that I had one Alarm:

RegVal Trace: RAT.Osama (HKEY_LOCAL_MACHINE) located in
Software\Microsoft\Windows\CurrentVersion\Run\[WNAD=C:\WINDOWS\wnad.exe

Then I went to the second site and followed your instructions there as well. Here is my startup information:

StartupList report, 9/29/2002, 9:37:00 AM
StartupList version: 1.33.0
Started from: C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\Y38ZNKTO\startuplist133[1]\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\WINDOWS\wnad.exe
C:\Program Files\SVA Player\SVAPLAYER.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\SOINTGR.EXE
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Hotbar\bin\4.1.7.0\Hbinst.exe
C:\Program Files\FileFreedom\wtm.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Paltalk\pnetaware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Hotbar\bin\4.1.7.0\HbSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe
C:\TDS3\tds-3.exe
C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\Y38ZNKTO\startuplist133[1]\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
InCD = C:\Program Files\ahead\InCD\InCD.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
TimeSink Ad Client = "C:\Program Files\TimeSink\AdGateway\TsAdBot.exe"
WNAD = C:\WINDOWS\wnad.exe
SVAPlayer = C:\Program Files\SVA Player\SVAPLAYER.EXE
QuickTime Task = C:\WINDOWS\System32\qttask.exe
Pop-Up Stopper = "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
CMESys = "C:\Program Files\Common Files\CMEII\CMESys.exe"
SO5 Integrator Pass Two = C:\WINDOWS\SOINTGR.EXE
Rosary Reminder = C:\PROGRA~1\VIRTUA~1\reminder.exe
WebScan = C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe -k
EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
vptray = C:\PROGRA~1\NavNT\vptray.exe
KAZAA = C:\Documents and Settings\Sadie\Desktop\Grokster.exe /SYSTRAY
Hotbar = C:\Program Files\Hotbar\bin\4.1.7.0\Hbinst.exe /Upgrade
TDS3 = C:\TDS3\TDS-3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
FileFreedom_Plugin = C:\Program Files\FileFreedom\wtm.exe

--------------------------------------------------

File association entry for .EXE:
----------------------------------------------------

I should mention that when I hit Ctrl+Alt+Delete to see what is actually running on my PC I find the following:
Mem Usage
defscangui.exe 17,340 K
HbSrv.exe 13, 352
msimn.exe 7,924
iexplore.exe 34,944 
MSGSYS.EXE 2,572
taskmgr.exe 4,948
devldr32.exe 2,836
Ymsgr_tray.exe 2,456
pnetaware.exe 4,324
GMT.exe 15, 052
wtm.exe 1,384
wanmpsvc.exe 1,764
Hbinst.exe 4,672
vptray.exe 5,364 
rundll32.exe 2,732
EANTHO~1.EXE 3,076
defscangui.exe 5,176
sointgr.exe 2,172
CMESys.exe 7,184
dpps2.exe 5,316
qttask.exe 648
SVAPLAYER.exe 3,544
wnad.exe 2,520
InCD.exe 3,824
explorer.exe 24,428
tcpsvcs.exe 2,240
spoolsv.exe 3,608
svchost.exe 2,468 NETWORK SERVICE
svchost.exe 2,648
rtvscan.exe 3,892
NAVAPSVC.EXE 620
defwatch.exe 1,168
alg.exe 3,160
lsass.exe 1,072
services.exe 2,888
winlogon.exe 1,064
csrss.exe 3,252
smss.exe 336
System 216


----------



## Rollin' Rog (Dec 9, 2000)

A quick look shows at least a few spy/adware services there (Hotbar, wnad.exe and gmt.exe (Gator),TimeSink Ad Client, CMESys.exe (also Gator). The Gator stuff may get reinstalled or be required for Kazaa.

I would suggest installing and running one or both of the following and then reposting your startups:

Installing and Running Ad-Aware
http://www.lavasoft.nu/

1. Download to a convenient folder the installation file:

http://www.wyvernworks.com/Lavasoft/aaw.exe

2. Download the Refupdate installation file:

http://www.jamcomputerservices.com/lavasoft/refupdate.exe

3. Run the Ad-Aware setup file (aaw.exe) to install Ad-aware and reboot.

4. Run the refupdate.exe installation file. Go to Start Menu>Programs and find the Lavasoft Refupdate entry and run it. It will want a connection to the internet to check and update the current signature file. When that is complete. Run Ad-aware itself.

5. Configure Ad-aware to scan all drives on which you have installed programs, memory and registry. When the scan is complete, check all entries it finds (do not select "Exclude" unless you specifically want something to be ignored!), click "Backup", to name and backup the items to be removed, and then continue to remove the selected items. Reboot afterwards.

====================

Installing and running Spybot:

http://www.net-integration.net/reviews/spybot1.html

1 -- create a new, 'host' folder in a convenient location (not on the desktop)

2 -- download the spybot program to it and run the setup file.

3 -- go to the Start Menu, find the program and run it. Click the "online" tab and "Search for Updates", then make your selection and click "Download Updates". You will not need to update the "main" program and can probably ignore the language and PGP (Pretty Good Privacy) updates.

4 -- run the scan (click "check all"). You will see some boxes checked and others not. Remove the pre-selected items. The others are mainly "cleanup" options (you can disable this feature by clicking Settings > FileSets, and unchecking "Usage Tracking". "System Internals" should be unchecked as well unless you are confident you know what it deals with).

5 -- it is a good practice to reboot afterwards, even if not prompted. 
======

Ad-aware will not detect or remove New.net, (newdotnet) but Spybot will. I would recommend removing it first through Add/Remove programs and then rebooting.

ref: http://www.cexx.org/newnet.htm

http://www.cexx.org/gator.htm

http://www.cexx.org/osama.htm

http://www.cexx.org/tsadbot.htm

>> I would also recommend finding and removing these installs, which I believe are just bogus excuses for more spyware:

WebScan = C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe -k

EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b

http://www.spywareinfo.com/yabbse/index.php?board=18;action=display;threadid=960


----------



## TonyKlein (Aug 26, 2001)

You left at least half of your StartupList report out, so please repost to show us the rest of it.

We need to see that as well.

Additionally, you also have the NewNet foistware, which is best removed like so:

1. First go to Start/run, and type Msconfig. Go to the startup tab, uncheck New.Net application, and click OK. 
Now reboot, and the program will not load again with Windows, preventing the recurrence of your error message.

2) Now go to Software add/remove, and remove New.Net application there.

Don't attempt to remove the dll manually, because that may cause the loss of your internet connectivity.

2. If no joy, you may use the uninstaller located on your hard drive; the location is C:\Program Files\NewDotNet and the uninstaller will either be labeled uninstall3_70.exe or uninstall3_88.exe. 
Double click on either one of the uninstallers and it will fully remove the software from your hard drive and registry. It will prompt you to reboot after removal.

4. Or download this separate uninstaller and run it: http://www.new.net/support/uninstall3_88.exe.

Once copied to the machine, just double click it.


----------



## ddraigcoch (Mar 3, 2001)

In addition to what Rollin Rog has identified, you also have Gator, Hotbar, Sointgr, Yo Mama Osama and would recommend using Spybot Search & Destroy to remove these. You can disable them from running at start up in MSCONFIG first:

TimeSink Ad Client 
WNAD 
CMESys 
SO5 Integrator Pass Two 
KAZAA 
Hotbar 

These are in addition to what you've already been told to disable.


----------



## TonyKlein (Aug 26, 2001)

To complicate matters even more (  ), before doing anything at all, first shut down and uninstall Kazaa.

You may have trouble uninstalling it you start by removing the associated spyware.


----------



## miss_susan (Sep 28, 2002)

Here is the startup list in its entirety:

StartupList report, 9/30/2002, 9:04:49 AM
StartupList version: 1.33.0
Started from: C:\Documents and Settings\Susan\Desktop\Programs\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\SVA Player\SVAPLAYER.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\SOINTGR.EXE
C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\FileFreedom\wtm.exe
C:\Paltalk\pnetaware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Sadie\Desktop\New Folder\Webshots\WebshotsTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Susan\Desktop\Programs\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
InCD = C:\Program Files\ahead\InCD\InCD.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
SVAPlayer = C:\Program Files\SVA Player\SVAPLAYER.EXE
QuickTime Task = C:\WINDOWS\System32\qttask.exe
Pop-Up Stopper = "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
SO5 Integrator Pass Two = C:\WINDOWS\SOINTGR.EXE
Rosary Reminder = C:\PROGRA~1\VIRTUA~1\reminder.exe
WebScan = C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe -k
EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b
vptray = C:\PROGRA~1\NavNT\vptray.exe
KAZAA = C:\Documents and Settings\Sadie\Desktop\Grokster.exe /SYSTRAY
TDS3 = C:\TDS3\TDS-3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
FileFreedom_Plugin = C:\Program Files\FileFreedom\wtm.exe
Adaware Bootup = C:\Program Files\Lavasoft Ad-Aware\Ad-aware.exe /Auto /Log "C:\Program Files\Lavasoft Ad-Aware\"

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S "%3"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{00000075-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB

[QuickTime Object]
InProcServer32 = C:\WINDOWS\System32\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[CFForm Runtime]
InProcServer32 = C:\WINDOWS\System32\MSJAVA.DLL
CODEBASE = http://www.memolink.com/CFIDE/classes/CFJava.cab

[sys Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitStop.dll
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{15589FA1-C456-11CE-BF01-00AA0055595A}]
CODEBASE = http://www.twistedhumor.com/program_files/2002/ozzzy/OzzzyInstall2.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441}]
CODEBASE = http://fdl.msn.com/public/chat/msnchat41.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[CMV4 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cscmv4x.dll
CODEBASE = http://www108.coolsavings.com/download/cscmv4X.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

[MDefControl Class]
InProcServer32 = C:\PROGRA~1\ACCELE~1\ANTI-V~1\EAC_MI~1.DLL
CODEBASE = http://raven.veloz.com/pub/download/scandl_ss.cab

[{51045741-8C4E-4EAC-8F03-08E43A6FBB29}]
CODEBASE = http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.140/code/PWActiveXImgCtl.CAB

[Google Activate]
InProcServer32 = c:\windows\downloaded program files\GoogleToolbar_en_1.1.62-deleon.dll
CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gigexagent.dll
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[{8869786C-8E72-45DC-911D-AB3416AC1DF1}]
CODEBASE = http://www.buttonware.net/pub/download/scandl_cnry.cab

[Java Plug-in 1.3.1]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1\bin\npjava131.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab

[karCntrlIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\karClientIE.ocx
CODEBASE = http://karaoke.oddcast.com//karClientIE.cab

[InstallShield International Setup Player]
InProcServer32 = c:\windows\downlo~1\isetup.dll
CODEBASE = http://66.28.46.99/update6/isetup.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37421.6611921296

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ie_grokster.dll
CODEBASE = http://www.grokster.com/rdx/RdxIE.cab

[Java Plug-in 1.3.1]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1\bin\npjava131.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab

[Java Plug-in 1.3.1_02]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\npjava131_02.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab

[Java Plug-in 1.4.0_01]
InProcServer32 = C:\Program Files\Java\j2re1.4.0_01\bin\npjpi140_01.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\ContentAuditControl.ocx
CODEBASE = http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[YBIOCtrl Class]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4025.cab

[CRegistryDownload Class]
InProcServer32 = C:\WINDOWS\System32\RegDload.dll
CODEBASE = http://www.paltalk.com/prod/RegDload.CAB

--------------------------------------------------
End of report, 12,450 bytes
Report generated in 0.578 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TonyKlein (Aug 26, 2001)

Eanthology is foistware and it really has to go.

Go to Start > Run > Msconfig, and uncheck the following items on the Startup tab:

Rosary Reminder = C:\PROGRA~1\VIRTUA~1\reminder.exe 
WebScan = C:\Program Files\Acceleration Software\Anti-Virus\defscangui.exe -k 
EanthologyApp = C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b 
KAZAA = C:\Documents and Settings\Sadie\Desktop\Grokster.exe /SYSTRAY 
FileFreedom_Plugin 

Click OK, close Msconfig, and reboot.

Did you run Ad-Aware already, with the latest reffile?

Even if you did, run it again now.

Now do this:

Go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.

Now go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.

Are any objects there marked 'damaged', rightclick them, and choose remove.

Now rightclick each one in turn, chose 'properties', and check the Version tab.

If the manufacturer is anyone else but Macromedia, Microsoft, or Google, rightclick the file, and choose 'remove'.

Reboot, and please report back when you're done.

Good luck, Tony


----------



## miss_susan (Sep 28, 2002)

I followed all of your instructions but ended up having to re-install Windows XP due to the fact that I could not even get on the internet or use Outlook Express and my CPU usage jumped to 100%! And then icons kept appearing on my desktop that I did not create and could not be deleted because "someone else was using them"???
After re-installing Windows XP I discovered that there were still Program Files on my hard drive from before that had not been wiped clean. So the man who built my pc is coming over to reformat my hard drive and to re-install Windows XP again!
I thank you for all of your help, but the real problem was the hacker who got into my system through a bogus program which I downloaded from that cracks site. I learned a valuable lesson from all of this--Stay away from places like Kazaa, Morpheus, and Grokster etc....Nothing is Free.

Thank You
Susan


----------



## carpenoctem3 (Nov 20, 2002)

hmmm sounds like your computer came down with a case of mosucker or maybe optixpro?


----------



## TDS Support (Apr 2, 2003)

TDS-3 should easily detect any MoSucker or Optix server, and nothing that is running looks overly suspicious. More likely if anything would be a trojan running inside explorer.exe as a DLL..

Make sure TDS is updated most importantly, download the latest update from the http://tds.diamondcs.com.au/ download page, save it to your TDS folder, and restart TDS. You should have the same number of trojan detection references as is listed at the top of the page. Now run a full scan from the testing menu.

Recommend you try Port Explorer as almost any trojan which is using sockets will have RED sockets, as there are no visible windows for it. explorer.exe shouldn't be listening or established, so if it is then the thought above about a DLL inside it might just be true. http://www.diamondcs.com.au/portexplorer/

Of course you should email, [email protected] for more assistance, and if you try Port Explorer, click FILE, Save Table and send that too


----------

