Unknown Virus - vicious

Hi Members,

I am currently losing a battle - figthing off a virus that is attacking my machine: WIN 98 SE, AMD K6-2 300 PC.

Started around 3/1/05 attacking every 5 min to 1 hr - before I would reboot.

It takes control of my mouse/cursor - mind of its own (searching I think).

It found Mozilla and erased my Favorites from Mozilla - yesterday.

It got past my updated Norton Antivirus. Before and after I installed: 2 MS 98 patches, a couple days ago (just released), I tried UNSUCCESSFULLY to locate and remove with updated versions of: Ad-aware, Spybot & Spyware doctor.

I am concerned and clueless.

Hijack this log below.

JC Brandon


Logfile of HijackThis v1.98.2
Scan saved at 12:20:58 PM, on 3/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\PDESK.EXE
C:\WINDOWS.000\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\PROPELAC.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\BROTHER\BRMFL03A\BRSTDVPT.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\UNZIPPED\HIJACKTHIS-1\HIJACKTHIS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\POPUP\SMARTUI.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPLINKS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.excite.com/excitereg/login.jsp?app=em&return_url=http://e2.email.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.excite.com/excitereg/login.jsp?app=em&return_url=http://e2.email.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS.000\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS.000\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS.000\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE "
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS.000\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS.000\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.000\SYSTEM\Shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {21BBAC00-2C8B-11D3-82C3-444553540000} (AsyncFileRead Class) - http://live.av.com/cobrand/microportal/altavistatracker/rsafd.dll
O16 - DPF: {86F622BC-EF88-458C-9E74-E2574B6875A5} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v8/0502/investor.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw3fd.law3.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab

 

Download and install Process Explorer, unzip and open, then click file>save as and put on your desktop. Open and copy/paste it here.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

 

Hi Dave,

Thanks for coming to the rescue.

Did I do this right?

Process PID CPU Description Company Name
Idle 0x0 System Idle Process
PROPELAC.EXE 0xFFF352A7 0.58
RNAAPP.EXE 0xFFF2C8A7 0.48 Dial-Up Networking Application Microsoft Corporation
TAPISRV.EXE 0xFFF1B0B7 Microsoft® Windows(TM) Telephony Server Microsoft Corporation
KERNEL32.DLL 0xFFEFEC9F 0.29 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFE372F Windows 32-bit VxD Message Server Microsoft Corporation
NAVAPW32.EXE 0xFFFEE3B7 0.19 Norton AntiVirus Auto-Protect Agent Symantec Corporation
SPOOL32.EXE 0xFFFE2F37 Spooler Sub System Process Microsoft Corporation
MPREXE.EXE 0xFFFE144F WIN32 Network Interface Service Process Microsoft Corporation
KB891711.EXE 0xFFFED6B7 Windows KB891711 component Microsoft Corporation
ATI2EVXX.EXE 0xFFFEA3BB
MSTASK.EXE 0xFFFEA1F3 Task Scheduler Engine Microsoft Corporation
mmtask.tsk 0xFFFDB20B Multimedia background task support module Microsoft Corporation
EXPLORER.EXE 0xFFFDA4AF 92.82 Windows Explorer Microsoft Corporation
ATIPTAXX.EXE 0xFFFDE3A3 ATI Desktop Control Panel ATI Technologies, Inc.
DDHELP.EXE 0xFFF03947 Microsoft DirectX Helper Microsoft Corporation
TASKMON.EXE 0xFFFDCED7 Task Monitor Microsoft Corporation
SYSTRAY.EXE 0xFFFDC67F System Tray Applet Microsoft Corporation
WMIEXE.EXE 0xFFF3F23B WMI service exe housing Microsoft Corporation
CONMGR.EXE 0xFFFCFBF7 Connection Manager COM Server EarthLink, Inc.
STARTER.EXE 0xFFFC7E63 Starter ENSONIQ Corp.
REALPLAY.EXE 0xFFFC6F3B 1.84 RealPlayer RealNetworks, Inc.
SWDOCTOR.EXE 0xFFFC6EDF 23.86 Spyware Doctor PCTools
PROCEXP.EXE 0xFFFC52FF 80.12 Sysinternals Process Explorer Sysinternals
PDESK.EXE 0xFFFC2E7B PDesk Matrox Graphics Inc.
MSOFFICE.EXE 0xFFF3E3DB Microsoft Office Shortcut Bar Microsoft Corporation
OSA.EXE 0xFFF3917F
SMARTUI.EXE 0xFFF22F0B Visioneer
PPLINKS.EXE 0xFFF09DB7 0.39 PaperPort Links Server ScanSoft, Inc.
WZQKPICK.EXE 0xFFF210E7 WinZip Executable WinZip Computing, Inc.

Process: Procexp Pid: FFFFFFFE

Type Name


JC Brandon

 

ProxyServer = http=localhost:8080 is an entry commonly seen when using Earthlink's Propel Accelerator, so if fixing that entry leaves you unable to connect, open the misc tools section of HJT, backup tab, and put that entry back. Reboot.

Yes, you did the Process Explorer log correctly. In PE, please click View>Lower Pane View>dll's, then highlight explorer.exe, wait for the lower pane to populate, then click file>save as and post it's log.

 

Hi Dave & Tony T,

Partial listing from RAV, still scanning.

I want to post before I CRASH again:
Scan started at 3/14/05 1:03:33 PM

Scanning memory...
c:\RECYCLED\DC696.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC708.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC709.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC710.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC720.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC721.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC729.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC732.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC733.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC734.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC738.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC739.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC740.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC742.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC743.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC747.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC748.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC749.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC750.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC751.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC752.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC753.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC754.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC755.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC756.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC757.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC758.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC759.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC760.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC761.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC803.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC805.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC906.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC961.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC962.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC963.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC964.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC965.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC966.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC967.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC968.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC969.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC970.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC971.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC972.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC973.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC974.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC975.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC976.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC977.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC978.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC979.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC980.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC981.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC982.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC985.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC986.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC987.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1022.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1023.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1024.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1025.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1026.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1027.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1028.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1031.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1032.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1064.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1065.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1066.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1067.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1068.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1069.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1070.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1071.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1072.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1073.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1074.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1075.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1076.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1077.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1078.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1079.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1080.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1081.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1082.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1083.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1084.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1085.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1086.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1088.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1089.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1090.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1091.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1092.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1093.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1094.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1095.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1096.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1097.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1098.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1099.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1100.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1101.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1102.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1105.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1106.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1107.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1133.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1134.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1135.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1136.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1137.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1138.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1139.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1140.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1141.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1142.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1143.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1144.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1145.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1146.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1163.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1165.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1166.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1167.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1168.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1170.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1171.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1172.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1173.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1174.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1175.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1176.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1177.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1178.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1179.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1180.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1181.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1182.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1183.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1184.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1185.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1186.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1187.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1190.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1191.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1192.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1223.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1224.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1225.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1226.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1227.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1228.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1229.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1230.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1231.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1232.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1233.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1234.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1235.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1236.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1237.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1238.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1239.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1240.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1241.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1243.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1244.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1245.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1248.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1249.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1250.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1285.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1286.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1287.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1288.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1289.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1290.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1292.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1293.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1294.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1295.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1296.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1297.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1298.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1299.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1300.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1301.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1302.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1303.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1304.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1305.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1306.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1307.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected

 

Hi Dave,

RAV still running.

I use Copper.net dial-up - I left Earthlink shortly after their update 6 months ago - I didn't like what I thought it was doing while I was connected.

If I can stabilize this machine I may update to MS XP.

I have little control right now.

JC Brandon

 

2nd, PARTIAL scan...still running

Scan started at 3/14/05 1:03:33 PM

Scanning memory...
c:\RECYCLED\DC696.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC708.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC709.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC710.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC720.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC721.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC729.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC732.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC733.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC734.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC738.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC739.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC740.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC742.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC743.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC747.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC748.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC749.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC750.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC751.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC752.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC753.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC754.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC755.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC756.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC757.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC758.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC759.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC760.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC761.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC803.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC805.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC906.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC961.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC962.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC963.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC964.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC965.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC966.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC967.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC968.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC969.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC970.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC971.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC972.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC973.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC974.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC975.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC976.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC977.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC978.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC979.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC980.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC981.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC982.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC985.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC986.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC987.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1022.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1023.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1024.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1025.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1026.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1027.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1028.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1031.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1032.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1064.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1065.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1066.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1067.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1068.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1069.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1070.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1071.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1072.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1073.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1074.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1075.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1076.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1077.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1078.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1079.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1080.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1081.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1082.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1083.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1084.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1085.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1086.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1088.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1089.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1090.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1091.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1092.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1093.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1094.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1095.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1096.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1097.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1098.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1099.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1100.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1101.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1102.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1105.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1106.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1107.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1133.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1134.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1135.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1136.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1137.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1138.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1139.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1140.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1141.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1142.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1143.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1144.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1145.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1146.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1163.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1165.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1166.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1167.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1168.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1170.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1171.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1172.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1173.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1174.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1175.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1176.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1177.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1178.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1179.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1180.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1181.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1182.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1183.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1184.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1185.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1186.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1187.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1190.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1191.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1192.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1223.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1224.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1225.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1226.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1227.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1228.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1229.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1230.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1231.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1232.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1233.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1234.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1235.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1236.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1237.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1238.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1239.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1240.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1241.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1243.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1244.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1245.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1248.PHP->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1249.CSS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1250.JS->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1285.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1286.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1287.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1288.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1289.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1290.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1292.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1293.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1294.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1295.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1296.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1297.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1298.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1299.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1300.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1301.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1302.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1303.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1304.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1305.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1306.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1307.HTML->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC663\protected_JCB_template_css.css->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC663\protected_JCB_template_js.js->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC663\protected_common_scripts.js->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC663\protected_hp_image.php->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b6sprof.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b1habus.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b3passe.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b3pesta.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b3pinsu.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b3preti.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b3ptax.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b4rhedg.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b4rmpt.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b4rsuit.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b5paggr.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b5pbala.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b5pcons.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b6sinte.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b6splan.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b6sport.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b1habar.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b7cappl.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b7cappo.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\b7cemai.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\bcont.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\bhome.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\bplan.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\bport.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\brisk.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\bserv.htm->(SCRIPT0000) - JS/Drost.A* -> Infected
c:\RECYCLED\DC1696\bteam.htm->(SCRIPT0000) - JS/Drost.A* -> Infected

 

Since you no longer use Earthlink, fix all of these with HJT and reboot, then delete the Earthlink folder in C:\Program Files.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mo...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.excite.com/exci...ail.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://registration.excite.com/exci...ail.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE "
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html


Empty your recycle bin!

 

Hi Dave,

Log below:

Process PID CPU Description Company Name
Idle 0x0 System Idle Process
KERNEL32.DLL 0xFFEFE955 0.62 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFE32E5 Windows 32-bit VxD Message Server Microsoft Corporation
NAVAPW32.EXE 0xFFFEC5FD 0.53 Norton AntiVirus Auto-Protect Agent Symantec Corporation
SPOOL32.EXE 0xFFFE2AFD Spooler Sub System Process Microsoft Corporation
MPREXE.EXE 0xFFFE1185 WIN32 Network Interface Service Process Microsoft Corporation
KB891711.EXE 0xFFFED35D Windows KB891711 component Microsoft Corporation
ATI2EVXX.EXE 0xFFFE9AA1
MSTASK.EXE 0xFFFE6C31 Task Scheduler Engine Microsoft Corporation
mmtask.tsk 0xFFFDB7A9 Multimedia background task support module Microsoft Corporation
EXPLORER.EXE 0xFFFDAE85 81.35 Windows Explorer Microsoft Corporation
TASKMON.EXE 0xFFFDDD91 Task Monitor Microsoft Corporation
SYSTRAY.EXE 0xFFFDC245 System Tray Applet Microsoft Corporation
WMIEXE.EXE 0xFFFCAFC5 WMI service exe housing Microsoft Corporation
PROPELAC.EXE 0xFFFCA625
RNAAPP.EXE 0xFFF13FB9 0.18 Dial-Up Networking Application Microsoft Corporation
TAPISRV.EXE 0xFFF1AEC9 Microsoft® Windows(TM) Telephony Server Microsoft Corporation
CONMGR.EXE 0xFFFC89D9 Connection Manager COM Server EarthLink, Inc.
STARTER.EXE 0xFFFC7A05 Starter ENSONIQ Corp.
REALPLAY.EXE 0xFFFC6C89 2.37 RealPlayer RealNetworks, Inc.
PDESK.EXE 0xFFFC2081 PDesk Matrox Graphics Inc.
MSOFFICE.EXE 0xFFF3DC11 Microsoft Office Shortcut Bar Microsoft Corporation
SWDOCTOR.EXE 0xFFF3B48D 13.81 Spyware Doctor PCTools
OSA.EXE 0xFFF384E9
ATIPTAXX.EXE 0xFFF367E9 ATI Desktop Control Panel ATI Technologies, Inc.
DDHELP.EXE 0xFFF1CCA5 Microsoft DirectX Helper Microsoft Corporation
WZQKPICK.EXE 0xFFF2765D WinZip Executable WinZip Computing, Inc.
SMARTUI.EXE 0xFFF21289 Visioneer
PPLINKS.EXE 0xFFF08C11 0.44 PaperPort Links Server ScanSoft, Inc.
PROCEXP.EXE 0xFFEF1001 94.46 Sysinternals Process Explorer Sysinternals

Process: EXPLORER.EXE Pid: FFFDAE85

Name Description Company Name Version
AcroIEHelper.ocx AcroIEHelper Module ( 1.00.0000.0001
ACTXPRXY.DLL ActiveX Interface Marshaling Library Microsoft Corporation 6.00.2800.1106
ADVAPI32.DLL Win32 ADVAPI32 core component Microsoft Corporation 4.80.0000.1675
advpack.dll ADVPACK Microsoft Corporation 6.00.2800.1106
ATL.DLL ATL Module for Windows (ANSI) Microsoft Corporation 3.00.8449.0000
AuthMgr.dll EarthLink, Inc. 2004.01.0088.0000
BROWSELC.DLL Shell Browser UI Library Microsoft Corporation 6.00.2800.1106
BROWSEUI.DLL Shell Browser UI Library Microsoft Corporation 6.00.2800.1612
CFGMGR32.DLL Configuration Manager Win32 Interface Microsoft Corporation 4.10.0000.1998
COMCTL32.DLL Common Controls Library Microsoft Corporation 5.81.4916.0400
COMDLG32.DLL Common Dialogs DLL Microsoft Corporation 4.72.3510.2300
CORPOL.DLL Microsoft COM Runtime Execution Engine Microsoft Corporation 1998.03.6074.0000
CRTDLL.DLL Microsoft C Runtime Library Microsoft Corporation 3.50.0746.0001
CRYPT32.DLL Crypto API32 Microsoft Corporation 5.131.1878.0012
DCIMAN32.DLL DCI Manager 1.00 Intel(R) Corp., Microsoft Corp. 4.03.0000.1998
DDRAW.DLL Microsoft DirectDraw Microsoft Corporation 4.09.0000.0900
DDRAWEX.DLL Microsoft DirectDrawEx Microsoft Corporation 4.87.0000.0700
DXTMSFT.DLL DirectX Media -- Image DirectX Transforms Microsoft Corporation 6.03.2800.1106
DXTRANS.DLL DirectX Media -- DirectX Transform Core Microsoft Corporation 6.03.2800.1106
E60Cmmon.dll  EarthLink, Inc. 2004.01.0030.0000
EAuthMgr.dll  EarthLink, Inc. 2004.01.0088.0000
Ecrypt.dll  EarthLink, Inc. 2004.01.0042.0000
es.dll COM+ EventSystem Library Microsoft Corporation 1998.09.1003.0000
esshared.dll COM+ EventSystem Shared Utilities Microsoft Corporation 1998.09.1003.0000
estier2.dll COM+ EventSystem Service Library Microsoft Corporation 1998.09.1003.0000
EventLog.dll  EarthLink, Inc. 2004.01.0088.0000
EXPLORER.EXE Windows Explorer Microsoft Corporation 4.72.3110.0001
Flash.ocx Macromedia Flash Player 6.0 r79 Macromedia, Inc. 6.00.0079.0000
GDI32.DLL Win32 GDI core component Microsoft Corporation 4.10.0000.1998
IMGUTIL.DLL IE plugin image decoder support DLL Microsoft Corporation 6.00.2800.1106
IMM32.DLL Win32 IMM32 core component Microsoft Corporation 4.10.0000.1998
JAVACYPT.DLL MS Crypt Dll for Java Microsoft Corporation 5.00.3810.0000
JSCRIPT.DLL Microsoft (r) JScript Microsoft Corporation 5.06.0000.8513
KERNEL32.DLL Win32 Kernel core component Microsoft Corporation 4.10.0000.2222
LINKINFO.DLL Windows Volume Tracking Microsoft Corporation 4.10.0000.1998
Location.dll  EarthLink, Inc. 2004.01.0088.0000
LZ32.DLL Win32 LZ32 core component Microsoft Corporation 4.10.0000.1998
MFC42.DLL MFCDLL Shared Library - Retail Version Microsoft Corporation 6.00.8665.0000
mfc70.dll MFCDLL Shared Library - Retail Version Microsoft Corporation 7.00.9466.0000
MLANG.DLL Multi Language Support DLL Microsoft Corporation 6.00.2800.1106
MPR.DLL WIN32 Network Interface DLL Microsoft Corporation 4.10.0000.1998
MSAFD.DLL Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 4.10.0000.1998
MSHTML.DLL Microsoft (R) HTML Viewer Microsoft Corporation 6.00.2800.1491
MSHTMLED.DLL Microsoft (R) HTML Editing Component Microsoft Corporation 6.00.2800.1106
msi.dll Windows Installer Microsoft Corporation 2.00.2600.0002
MSJAVA.DLL Microsoft® VM Microsoft Corporation 5.00.3810.0000
MSLS31.DLL Microsoft Line Services library file Microsoft Corporation 3.10.0349.0000
MSOSS.DLL Microsoft Trust ASN APIs Microsoft Corporation 5.131.1877.0003
MSPWL32.DLL Password list management library Microsoft Corporation 4.10.0000.1998
msvcp70.dll Microsoft® C++ Runtime Library Microsoft Corporation 7.00.9466.0000
msvcr70.dll Microsoft® C Runtime Library Microsoft Corporation 7.00.9466.0000
MSVCRT.DLL Microsoft (R) C Runtime Library Microsoft Corporation 6.01.8637.0000
MSVCRT20.DLL Microsoft® C Runtime Library Microsoft Corporation 2.12.0000.0000
MSVFW32.DLL Microsoft Video for Windows DLL Microsoft Corporation 4.10.0000.1998
MSWSOCK.DLL Microsoft WinSock Extension APIs Microsoft Corporation 4.10.0000.2222
MSXML3.DLL MSXML 3.0 SP 3 Microsoft Corporation 8.30.9926.0000
MYDOCS.DLL My Documents Folder UI Microsoft Corporation 4.72.3510.2300
NETAPI32.DLL 32-bit network API DLL Microsoft Corporation 4.10.0000.1998
NETBIOS.DLL
NTDLL.DLL Win32 NTDLL core component Microsoft Corporation 4.10.0000.1998
OLE32.DLL Microsoft OLE for Windows and Windows NT Microsoft Corporation 4.71.2900.0000
OLEACC.DLL Active Accessibility Core Component Microsoft Corporation 4.02.2209.0000
OLEAUT32.DLL Microsoft Corporation 2.40.4518.0000
PnEL.dll Earthlink Popup Blocker EarthLink, Inc. 2004.02.0080.0000
PnEL_UI.dll Earthlink Popup Blocker Resource Library EarthLink, Inc. 2004.02.0080.0000
PSTOREC.DLL Protected Storage COM interfaces Microsoft Corporation 5.00.1877.0003
RASAPI32.DLL Dial-Up Networking Dynamic Linked Library Microsoft Corporation 4.10.0000.2222
ravonline.dll RAVOnline Module GeCAD Software 1.01.0000.0138
ravscan.dll ravscan Module GeCAD Software 1.00.0000.0211
ravupdt.dll ravupdt Module GeCAD Software 1.00.0000.0371
riched20.dll Rich Text Edit Control, v3.0 Microsoft Corporation 5.30.0023.1200
RICHED32.DLL Windows 95 Rich Text Edit Control Microsoft Corporation 5.00.1458.0047
RNR20.DLL Windows Socket2 NameSpace DLL Microsoft Corporation 4.10.0000.2222
RPCRT4.DLL Remote Procedure Call DLL Microsoft Corporation 4.71.2900.0002
RSABASE.DLL Microsoft Base Cryptographic Provider (Export Version) Microsoft Corporation 5.00.1877.0007
RSAENH.DLL Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export) Microsoft Corporation 5.00.1877.0008
SCHANNEL.DLL TLS / SSL Security Provider (US and Canada Use Only) Microsoft Corporation 4.87.1964.1878
SECUR32.DLL Microsoft Win32 Security Services Microsoft Corporation 4.10.0000.2222
sens.dll System Event Notification Service (SENS) Microsoft Corporation 5.50.4807.2300
SHD401LC.DLL Shell Doc Object and Control Library - IE 4.01 compat Microsoft Corporation 5.50.4914.1400
SHDOC401.DLL Shell Doc Object and Control Library - IE 4.01 compat Microsoft Corporation 5.50.4914.1400
SHDOCLC.DLL Shell Doc Object and Control Library Microsoft Corporation 6.00.2800.1106
SHDOCVW.DLL Shell Doc Object and Control Library Microsoft Corporation 6.00.2800.1612
SHELL32.DLL Windows Shell Common Dll Microsoft Corporation 4.72.3812.0600
SHFOLDER.DLL Shell Folder Service Microsoft Corporation 6.00.2800.1106
SHLWAPI.DLL Shell Light-weight Utility Library Microsoft Corporation 6.00.2800.1612
SOFTPUB.DLL Microsoft Trust Policy Providers Microsoft Corporation 5.131.1877.0009
SVRAPI.DLL 32-bit common Server API library Microsoft Corporation 4.10.0000.1998
TAPI32.DLL Microsoft® Windows(TM) Telephony API Client DLL Microsoft Corporation 4.10.0000.2222
URLMON.DLL OLE32 Extensions for Win32 Microsoft Corporation 6.00.2800.1485
USER32.DLL Win32 USER32 core component Microsoft Corporation 4.10.0000.2227
Utils.dll  EarthLink, Inc. 2004.01.0030.0000
VBSCRIPT.DLL Microsoft (r) VBScript Microsoft Corporation 5.06.0000.8515
VERSION.DLL Win32 VERSION core component Microsoft Corporation 4.10.0000.1998
VMHELPER.DLL Microsoft® VM Helper Library Microsoft Corporation 5.00.3810.0000
WEBCHECK.DLL Web Site Monitor Microsoft Corporation 6.00.2800.1106
WEBVW.DLL Shell WebView Content & Control Library Microsoft Corporation 5.00.0312.0000
Win.dll  EarthLink, Inc. 2004.01.0030.0000
WININET.DLL Internet Extensions for Win32 Microsoft Corporation 6.00.2800.1485
WINMM.DLL System APIs for Multimedia Microsoft Corporation 4.03.0000.1998
WINTRUST.DLL Microsoft Trust Verification APIs Microsoft Corporation 5.131.1877.0005
WOW32.DLL Win32 WOW32 core component Microsoft Corporation 4.10.0000.1998
WS2_32.DLL Windows Socket 2.0 32-Bit DLL Microsoft Corporation 4.10.0000.2222
WS2HELP.DLL Windows Socket 2.0 Helper for Windows 98 Microsoft Corporation 4.10.0000.1998
WSOCK32.DLL BSD Socket API for Windows Microsoft Corporation 4.10.0000.1998
WZSHLSTB.DLL WinZip Shell Extension DLL WinZip Computing, Inc. 4.01.0000.0000
zlib.dll zlib data compression library 1.01.0004.0000

 

Explorer dll log looks OK. Click KERNEL32.DLL in the top pane and if the lower pane populates, save and post that log.

 

Hi Dave,

I have been working diligently following your instructions.

1) I fixed the referenced files with HJT

2) I deleted Earthlink from C:\Program Files & also used Control Panel to REMOVE programs

3) Emptied Trash - some files "were not deletable" - though trash is now empty

4) Rebooted - ran Spybot again - yesterday Ad-Aware took more than 2hrs (longest ever - have not run yet)

5) New log from HJT & PE below:

Logfile of HijackThis v1.98.2
Scan saved at 3:15:04 PM, on 3/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\MSTASK.EXE
C:\WINDOWS.000\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\EXPLORER.EXE
C:\WINDOWS.000\TASKMON.EXE
C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
C:\WINDOWS.000\SYSTEM\PDESK.EXE
C:\WINDOWS.000\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS.000\SYSTEM\BRMFRSMG.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\POPUP\SMARTUI.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS.000\SYSTEM\WMIEXE.EXE
C:\WINDOWS.000\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPLINKS.EXE
C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\UNZIPPED\HIJACKTHIS-1\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS.000\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS.000\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS.000\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrmfRmPA.exe] C:\WINDOWS.000\BrmfRmPA.exe -startup
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS.000\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS.000\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.000\SYSTEM\Shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {21BBAC00-2C8B-11D3-82C3-444553540000} (AsyncFileRead Class) - http://live.av.com/cobrand/microportal/altavistatracker/rsafd.dll
O16 - DPF: {86F622BC-EF88-458C-9E74-E2574B6875A5} (ChrtCtl Class) - http://fdl.msn.com/public/investor/v8/0502/investor.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw3fd.law3.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Process PID CPU Description Company Name
Idle 0x0 System Idle Process
SPOOL32.EXE 0xFFFCAA2F Spooler Sub System Process Microsoft Corporation
FIREFOX.EXE 0xFFF7FB43 6.23 Firefox Mozilla
NOTEPAD.EXE 0xFFF6D34B Windows Notepad application file Microsoft Corporation
BRMFRSMG.EXE 0xFFF30AD7 10.94 Brother MFL Pro Resource Manager Brother Industries, Ltd.
RNAAPP.EXE 0xFFF0E7D3 0.17 Dial-Up Networking Application Microsoft Corporation
TAPISRV.EXE 0xFFF0223F Microsoft® Windows(TM) Telephony Server Microsoft Corporation
KERNEL32.DLL 0xFFEF83CF 0.25 Win32 Kernel core component Microsoft Corporation
MSGSRV32.EXE 0xFFFE587F Windows 32-bit VxD Message Server Microsoft Corporation
NAVAPW32.EXE 0xFFFE6E0B 0.17 Norton AntiVirus Auto-Protect Agent Symantec Corporation
MPREXE.EXE 0xFFFE46FF WIN32 Network Interface Service Process Microsoft Corporation
MSTASK.EXE 0xFFFED57F Task Scheduler Engine Microsoft Corporation
ATI2EVXX.EXE 0xFFFEC3A7
KB891711.EXE 0xFFFD772F Windows KB891711 component Microsoft Corporation
EXPLORER.EXE 0xFFFD3193 0.42 Windows Explorer Microsoft Corporation
TASKMON.EXE 0xFFFDFFC3 Task Monitor Microsoft Corporation
SYSTRAY.EXE 0xFFFDEB43 System Tray Applet Microsoft Corporation
WMIEXE.EXE 0xFFF33FAF WMI service exe housing Microsoft Corporation
PDESK.EXE 0xFFFDAC9B PDesk Matrox Graphics Inc.
REALPLAY.EXE 0xFFFCD9EF 1.35 RealPlayer RealNetworks, Inc.
SMARTUI.EXE 0xFFFCD607 Visioneer
PPLINKS.EXE 0xFFF11973 0.25 PaperPort Links Server ScanSoft, Inc.
WZQKPICK.EXE 0xFFFC92BF WinZip Executable WinZip Computing, Inc.
ATIPTAXX.EXE 0xFFFC88AB ATI Desktop Control Panel ATI Technologies, Inc.
DDHELP.EXE 0xFFF1412B Microsoft DirectX Helper Microsoft Corporation
STARTER.EXE 0xFFFC5E87 Starter ENSONIQ Corp.
PROCEXP.EXE 0xFFF6B367 94.78 Sysinternals Process Explorer Sysinternals
OSA.EXE 0xFFF3743F
SWDOCTOR.EXE 0xFFF35037 53.79 Spyware Doctor PCTools
MSOFFICE.EXE 0xFFF320CB Microsoft Office Shortcut Bar Microsoft Corporation
mmtask.tsk 0xFFFD1FBF Multimedia background task support module Microsoft Corporation

Process: KERNEL32.DLL Pid: FFEF83CF

Name Description Company Name Version
ADVAPI32.DLL Win32 ADVAPI32 core component Microsoft Corporation 4.80.0000.1675
ATI2CQAG.DLL ATI CMM-QS ATI Technologies Inc. 4.13.0001.0192
GDI32.DLL Win32 GDI core component Microsoft Corporation 4.10.0000.1998
KERNEL32.DLL Win32 Kernel core component Microsoft Corporation 4.10.0000.2222
USER32.DLL Win32 USER32 core component Microsoft Corporation 4.10.0000.2227


JCB

 

Incredibly persistent bug.

Just crashed me again!

 

Did you fix this?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080

If so, fix again, with all other windows closed, then open Internet Options in the control panel>connections tab>click your current dialup connection then settings (click LAN settings button if not dialup). Uncheck any Use Proxy and Automatically Detect boxes and OK out.

Has this been the problem? BSODs and/or freeze-ups? If so, go to add/remove and uninstall KB891711 update then reboot.

Did RAV find any infected files other than in the recycle bin?

 

Hi Dave,

Thanks for your continued help.

BSODs ?
Crashed again - I have lost control and/or freeze ups of the machine and have had to reboot.

I have unchecked LAN settings in the past & again today.

I exited RAV early to get started on your suggestions I will go back.

I will fix R1 & KB891711

MUCH THANKS for all the guidance - downloaded CWshedder (found nothing), Spysubtract also downloaded but missing file and not usable yet.

JC Brandon

 

When booting Spysubtract giving this message:

Provider cannot be found. It may not be properly installed. Error#: 0x800a0e7a

JC Brandon

 

Hi Dave,

Your help - is very much appreciated - please check out my site - FREE info for family & friends on site - www.jcbcapital.com.

RAV 2nd scan - unlike the first time RAV is asking me to 'browse'... before "scanning ".

I am having trouble getting back in line at RAV for an online scan of my system.

JC Brandon

 

The only time I've seen RAV want to browse was when scanning a folder or file rather than PC. Did you by chance click one of those options?

BSOD..........Blue Screen Of Death......usually a system crash with an error message.

Site looks clean, professional and informative. The Golden Gate pic brought back fond childhood memories of 3 days and nights at Ft. Point. Lived in Concord for a while. Muir Woods and Mt. Diablo 2 of my favorite places still.