TheTechGuide Forum
General Category => Tech Clinic => Topic started by: ababyspice on May 16, 2005, 01:03:58 PM
-
We were infected with the funner.exe worm. I have managed to log back in and download Hijackthis. Here follows the hijackthis log;
Logfile of HijackThis v1.99.1
Scan saved at 19:06:02, on 16/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 (5.51.4807.2300)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MK9805.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MMTTGLZZ.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.net/iesearch/default.htm (http://\"http://www.iesearch.freeserve.net/iesearch/default.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ (http://\"http://www.ntlworld.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: (no name) - {64AF335C-C21D-5DB0-8753-60550DA82D49} - C:\WINDOWS\SYSTEM\WCFCW.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c7 -w1
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Freeserve - {546D6D80-1E9E-11D3-B65B-88215C0F8173} - http://www.freeserve.net/ (http://\"http://www.freeserve.net/\") (file missing) (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\0XM3W1EZ\epl7[1].cab
O18 - Protocol: wavetop - (no CLSID) - (no file)
How do I replace the deleted files?
-
How do you replace what deleted files???
Can you let me know what steps you have taken already
Could you also
Navigate to this file on your hard drive
C:\Windows\System.ini
Right click on it and select OPEN
Copy and paste back the contents to this thread
-
So far I have followed the instruction you gave to Dominik on Jan 28th (topic - psapi.dll and funny.exe Problem, Funner Worm?)
So I have booted to Command prompt only
Typed in
edit c:\windows\system.ini
Notice the space between edit and c
and hit Enter
in System.ini under the boot tab, navigated to Shell under the boot section
Changed it to read 'Shell=Explorer.exe'
I still couldn't log in so then I;
Got to the command prompt again and typed in the below-
del c:\windows\system\explorer.exe
del c:\windows\system\iexplore.exe
del c:\windows\system\userinit32.exe
del c:\windows\rundll32.exe
del c:\windows\hosts
del c:\funny.exe
del c:\windows\temp\*.*
At the prompt to delete contents of directory I pressed Y then hit Enter
Finally I entered this again at the prompt
edit c:\windows\system.ini
It still read
Shell=Explorer.exe
Restarted the computer succesfully and downloaded Hijackthis 1.99
Did a scan and posted the log file on my previous post.
I then downloaded and saved to Desktop Rundll32_98.zip
That's as far as I have got. I can still use the computer but it is unstable and keeps coming up with security errors. Also, when I turn it on it comes up with a few errors about missing files.
-
Open Hijackthis>>Open Misc tools section>>Open Hosts file Manager
If prompted to create a new Hosts file
ALLOW IT
Next, ensure you unzip Rundll32.zip to your C:Windows folder
I would also run System File checker to see if you have any corrupt or missing files
START>>RUN>>Type in sfc
You still didn't do this
Navigate to this file on your hard drive
C:\Windows\System.ini
Right click on it and select OPEN
Copy and paste back the contents to this thread
Could I also see a fresh Hijackthis log, it's been some time since you posted back and you still have some cleaning to do in your log
-
Thank you – I have created a new hosts file and made sure that the rundll32.zip is in the c:windows folder. I have run a system file checker and it appears that the Setupx.dll file is corrupt, I don’t know what to do to correct this.
Here follows the contents of the system.ini file
[boot]
oemfonts.fon=vga850.fon
system.drv=system.drv
drivers=mmsystem.dll power.drv
shell=Explorer.exe
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
mouse.drv=mouse.drv
keyboard.drv=keyboard.drv
*DisplayFallback=0
fixedfon.fon=vgafix.fon
fonts.fon=vgasys.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\WINDOW~2.SCR
[keyboard]
keyboard.dll=
oemansi.bin=xlat850.bin
subtype=
type=4
[boot.description]
system.drv=Standard PC
mouse.drv=Microsoft Mouse
keyboard.typ=Standard 101/102-Key or Microsoft Natural Keyboard
aspect=100,96,96
display.drv=NVidia RIVA TNT
[386Enh]
ebios=*ebios
woafont=app850.fon
mouse=*vmouse, msmouse.vxd
device=*dynapage
device=*vcd
device=*vpd
device=*int13
PagingDrive=C:
device=*enable
keyboard=*vkd
[NonWindowsApp]
TTInitialSizes=4 5 6 7 8 9 10 11 12 13 14 15 16 18 20 22
[power.drv]
[drivers]
voice=C:\BITWARE\rockwell.drv
MSVideo.VfWWDM=vfwwdm.drv
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
wave=mmsystem.dll
midi=mmsystem.dll
[iccvid.drv]
[mciseq.drv]
[mci]
cdaudio=mcicda.drv
sequencer=mciseq.drv
waveaudio=mciwave.drv
avivideo=mciavi.drv
videodisc=mcipionr.drv
vcr=mcivisca.drv
DvdVidEx=MciCinem.drv DVD
MpegVideo=MciCinem.drv DVD
DvdVideo=MciCinem.drv DVD
QTWVideo=C:\WINDOWS\SYSTEM\MCIQTW.DRV
MPEGVideo2=mciqtz.drv
[vcache]
[DISPLAY]
BusThrottle=1
[Password Lists]
PAUL STURGES=C:\WINDOWS\PAULSTUR.PWL
[MSNP32]
[drivers32]
vidc.CVID=iccvid.dll
VIDC.IV31=ir32_32.dll
VIDC.IV32=ir32_32.dll
vidc.MSVC=msvidc32.dll
VIDC.MRLE=msrle32.dll
msacm.lhacm=lhacm.acm
msacm.msg723=msg723.acm
vidc.M263=msh263.drv
vidc.M261=msh261.drv
msacm.l3acm=C:\WINDOWS\SYSTEM\L3CODECA.ACM
VIDC.VDOM=vdowave.drv
VIDC.MPG4=msscmc32.dll
vidc.vivo=ivvideo.dll
msacm.vivog723=vivog723.acm
VIDC.TR20=tr2032.dll
VIDC.UCOD=clrviddd.dll
VIDC.IV50=ir50_32.dll
msacm.iac2=C:\WINDOWS\SYSTEM\IAC25_32.AX
VIDC.YVU9=iyvu9_32.dll
VIDC.IV41=ir41_32.ax
VIDC.IR32=C:\WINDOWS\SYSTEM\IR32_32.DLL
VIDC.IR31=C:\WINDOWS\SYSTEM\IR32_32.DLL
VIDC.IR41=C:\WINDOWS\SYSTEM\IR41_32.AX
msacm.msg711=msg711.acm
MSACM.imaadpcm=imaadp32.acm
MSACM.msadpcm=msadp32.acm
MSACM.msgsm610=msgsm32.acm
MSACM.trspch=tssoft32.acm
msacm.msaudio1=msaud32.acm
msacm.sl_anet=sl_anet.acm
msacm.voxacm160=vct3216.acm
VIDC.YUY2=msyuv.dll
VIDC.UYVY=msyuv.dll
VIDC.YVYU=msyuv.dll
[TTFontDimenCache]
0 4=2 4
0 5=3 5
0 6=4 6
0 7=4 7
0 8=5 8
0 9=5 9
0 10=6 10
0 11=7 11
0 12=7 12
0 13=8 13
0 14=8 14
0 15=9 15
0 16=10 16
0 18=11 18
0 20=12 20
0 22=13 22
Also here is a fresh hijack this log;
Logfile of HijackThis v1.99.1
Scan saved at 11:26:24, on 28/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 (5.51.4807.2300)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MK9805.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\MMTTGLZZ.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.net/iesearch/default.htm (http://\"http://www.iesearch.freeserve.net/iesearch/default.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ (http://\"http://www.ntlworld.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: (no name) - {64AF335C-C21D-5DB0-8753-60550DA82D49} - C:\WINDOWS\SYSTEM\WCFCW.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c7 -w1
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Freeserve - {546D6D80-1E9E-11D3-B65B-88215C0F8173} - http://www.freeserve.net/ (http://\"http://www.freeserve.net/\") (file missing) (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\0XM3W1EZ\epl7[1].cab
O18 - Protocol: wavetop - (no CLSID) - (no file)
Hope this is all right?
-
Let's run some tools on your computer to ensure you are clean
Can you do the following please
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
In safe mode, find and delete these files if they exist
C:\WINDOWS\SYSTEM\MMTTGLZZ.EXE <-file
C:\WINDOWS\SYSTEM\WCFCW.DLL <-file
C:\WINDOWS\system32\usbn.exe <-file
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {64AF335C-C21D-5DB0-8753-60550DA82D49} - C:\WINDOWS\SYSTEM\WCFCW.DLL
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O4 - HKLM\..\Run: [usbn] C:\WINDOWS\system32\usbn.exe -go -c7 -w1
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\rundll32.exe "c:\windows\system\mmsystem.dll"", RunDll32
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {45231111-1111-1111-1111-111111113458} - file://C:\WINDOWS\Tempor~1\Content.IE5\0XM3W1EZ\epl7[1].cab
O18 - Protocol: wavetop - (no CLSID) - (no file)
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Afterwards
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Restart back to Normal mode
We have to run some tools on your computer
Download and Install the free version of Ad-Aware SE Personal 1.06 (http://\"http://www.download.com/3000-2144-10045910.html\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back in Windows
We have to get your operating system and browser more secure
Visit Windows updates and Install ALL Latest Critical Updates and Service Packs
Don't install the Recommended updates unless something preferred
After you download and Install the latest updates and service packs
Keep revisiting Windows Updates until you have all the latest critical updates installed
After that is complete
I don't see any Anti-Virus software on your computer
If you need a free solution
Please download and Install the Free version of AVG 7
from this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down and click on
AVG Free Edition installation files
File Version
avg70free_322a531.exe <-this link or similiar
Save the installer to desktop and then double click to install
Restart the computer if prompted
Ensure that AVG is updated and run a Full system Scan
After the above is done
Post back a fresh Hijackthis log
-
Thank you - have done all the above. Here is fresh hijeckthis log;
Logfile of HijackThis v1.99.1
Scan saved at 19:35:19, on 02/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\MK9805.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ (http://\"http://www.ntlworld.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-GB\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Freeserve - {546D6D80-1E9E-11D3-B65B-88215C0F8173} - http://www.freeserve.net/ (http://\"http://www.freeserve.net/\") (file missing) (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O18 - Protocol: wavetop - (no CLSID) - (no file)
Also - I don't know if it is part of the same thing but when I try to access the cd drive i get the following error;
D:\ is not accessible. The device is not ready
I don't know if you can help with that but I thought I'd ask as you have been so helpful with this funny.exe problem.. Can't say enough thanks!