In the past week i have had alot of trouble with my computer and it wanting to shutdown. when i go to start and hit shutdown.. the screen goes blank and then a little line starts blinking in the upper left hand corner of the screen. I have tried defrag and scan disc. Can you please help me.. my computer wants to shutdown normally.
thanks

Hi C-ron1000, Welcome to CTH..It may be a program running in the background that's causing the hang. Let's see what you have loading at startup, Go here and download, unzip and run StartupList. It will create a log file, Copy the log and then paste it in a reply.

http://www.lurkhere.com/~nicefiles/index.html

StartupList report, 2/11/2003, 11:05:17 AM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SHELLEX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LexStart = Lexstart.exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
NPROTECT = C:\Program Files\Norton Utilities\NPROTECT.EXE
SENTRY = C:\WINDOWS\SENTRY.exe
KAZAA = C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
seticlient = C:\Program Files\SETI@home\SETI@home.exe -min
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ShellEx = C:\WINDOWS\SYSTEM\SHELLEX.exe

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 10/2/2003, 23:50:30)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/2/2003, 13:32:40)

[Rename]
NUL=C:\~MS_GAM~.TMP\_SETUP.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRAM FILES\DAP\DAPBHO.DLL - {0000CC75-ACF3-4cac-A0A9-DD3868E06852}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\PROGRAM FILES\FLT\FLT.DLL - {665ACD90-4541-4836-9FE4-062386BB8F05}
(no name) - C:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
(no name) - (no file) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6}
(no name) - C:\WINDOWS\SYSTEM\M030106SHOP.DLL - {98D7B53E-B1D2-4755-B0A4-703E18FF91E8}
(no name) - C:\WINDOWS\IPINSIGT.DLL - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}
BabeIE - (no file) - {00000000-0000-0000-0000-000000000000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.25.44/16396aa3348df0843919/netzip/RdxIE.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/public/investor/v9/ticker.cab

[Video Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\VIDEOX.DLL
CODEBASE = http://spystream.babenet.com/cabs/videox.cab

[VivoActive Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\VVWEB.OCX
CODEBASE = http://player.vivo.com/ie/vvweb.cab

[{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = http://dialer.offshoreclicks.com/files/900018/102540/sex-viewer.exe

[{1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B}]
CODEBASE = http://www.netbroadcaster.com/player/MovieNetworks1.exe

[NSUpdateLiteCtrl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\NSUPDATE.DLL
CODEBASE = http://204.177.92.201/quickdl/action/NSupd9x.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/zone/Z4/heartbeat.cab

[plug Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

[{A45F39DC-3608-4237-8F0E-139F1BC49464}]
CODEBASE = http://64.157.10.150/diallerfiles/028598.exe

[CFForm Runtime]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://icn2.umeche.maine.edu/CFIDE/classes/CFJava.cab

[{9771C160-AD19-11D5-91BE-0048546CB511}]
CODEBASE = http://www.affiliatetarget.com/webtwo/download.exe

[MSN Chat Control 4.0]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT40.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
CODEBASE = http://66.28.45.60/FreeMP3_v2.0.exe

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Popup Window Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEPOPWND.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/iepopwnd.cab

[XDialer Class]
InProcServer32 = C:\WINDOWS\SYSTEM\XDIAL.OCX
CODEBASE = http://www.sex777.com/AX/XDialer2.CAB

[{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetupcom.exe

[Measurement Service Client]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MSC.OCX
CODEBASE = http://ccon.madonion.com/global/msc.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/cd/Browser_Plugin.cab

[TDServer Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
CODEBASE = http://www.bitstream.com/wfplayer/tdserver.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805/v1500/www.contentwatch.com/audit/includes/ContentAuditControl.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[dlControl.UserControl1]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DLCONTROL.OCX
CODEBASE = http://www.nugs.net/dev/dlControl.CAB

[Loader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MACONNECT.DLL
CODEBASE = http://connect.online-dialer.com/MaConnect.cab

[eConn Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ECONNECT.DLL
CODEBASE = http://econnect.libereco.net/econnect.cab

[IEDial Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IEACCESS2.DLL
CODEBASE = http://fr4-download.nocreditcard.com/download/Object/ieaccess2.cab

[Register Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWUTILS.DLL
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab

[Fswinst Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FSWINST.OCX
CODEBASE = http://www.newtopsites.com/fswinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37641.4552314815

[WebPlayer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWAUDIO.DLL
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #2: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #12: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #13: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL

--------------------------------------------------
End of report, 10,621 bytes
Report generated in 0.910 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Jeeeezzzz!!!

ShellEx = C:\WINDOWS\SYSTEM\SHELLEX.exe = Backdoor.Anakha

Click Start > Run > type regedit and click OK
Click the + next to the following keys

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
CurrentVersion

Scroll down and click on the RunServices folder.
In the right hand window look for:
ShellEx = C:\WINDOWS\SYSTEM\SHELLEX.exe
Right click on this entry and click delete.

Collapse the registry tree, close regedit and reboot.

Do a find files for SHELLEX.exe and delete it.

Then there is all kinds of spyware:

FlashTrack
IpInsight
New.net
Gator
Xupiter
BonziBuddy

Plus all kinds of premium rate dialers. Download and run Spybot-S&D to remove all this.

Download Spybot - Search & Destroy

http://beam.to/spybotsd


After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets,and uncheck System Internals, Usage Tracking and Tracks.uti. These settings are not needed at the moment and you can always consult the "Help" files if you want to experiment later on.

Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds. (If the scan has found something, the list will show it.)

There are three basic kinds of results:

Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed.

Black entries are system internals. If you do not know what they mean, I would suggest that you leave these alone and visit the support forum for more information.

Green entries indicate usage tracks. It can do no harm to remove these.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot.
SSD will activate before the system puts these components 'in use', and it will then be able to 'fix' the rest.

After that, Navigate to C:\Windows\Downloaded Program Files.
Right click on everything in turn and choose properties. If the copyright info doesn't list Microsoft, Macromedia, or Apple delete it.

When you are finished, run StartupList again and post the results.

StartupList report, 2/11/2003, 1:04:10 PM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SHELLEX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\KAZAA\KAZAA.EXE
C:\PROGRAM FILES\SETI@HOME\SETI@HOME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LexStart = Lexstart.exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
NPROTECT = C:\Program Files\Norton Utilities\NPROTECT.EXE
KAZAA = C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
seticlient = C:\Program Files\SETI@home\SETI@home.exe -min
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ShellEx = C:\WINDOWS\SYSTEM\SHELLEX.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 11/2/2003, 11:52:28)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\CONFLICT.1\IEGATOR.DLL
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.25.44/16396aa3348df0843919/netzip/RdxIE.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/public/investor/v9/ticker.cab

[Video Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\VIDEOX.DLL
CODEBASE = http://spystream.babenet.com/cabs/videox.cab

[VivoActive Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\VVWEB.OCX
CODEBASE = http://player.vivo.com/ie/vvweb.cab

[{1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B}]
CODEBASE = http://www.netbroadcaster.com/player/MovieNetworks1.exe

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a224.g.akamai.net/7/224/52/20010620/qtinstall.info.apple.com/qt502/us/win/QuickTimeInstaller.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/zone/Z4/heartbeat.cab

[plug Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CHARGI~1.DLL
CODEBASE = http://dist02.chargitdial.com/chargitplug.dll

[CFForm Runtime]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://icn2.umeche.maine.edu/CFIDE/classes/CFJava.cab

[{9771C160-AD19-11D5-91BE-0048546CB511}]
CODEBASE = http://www.affiliatetarget.com/webtwo/download.exe

[MSN Chat Control 4.0]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT40.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Popup Window Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEPOPWND.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/iepopwnd.cab

[XDialer Class]
InProcServer32 = C:\WINDOWS\SYSTEM\XDIAL.OCX
CODEBASE = http://www.sex777.com/AX/XDialer2.CAB

[Measurement Service Client]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MSC.OCX
CODEBASE = http://ccon.madonion.com/global/msc.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[TDServer Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
CODEBASE = http://www.bitstream.com/wfplayer/tdserver.cab

[ContentAuditX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
CODEBASE = http://a840.g.akamai.net/7/840/5805/v1500/www.contentwatch.com/audit/includes/ContentAuditControl.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[dlControl.UserControl1]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DLCONTROL.OCX
CODEBASE = http://www.nugs.net/dev/dlControl.CAB

[Register Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWUTILS.DLL
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab

[Fswinst Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FSWINST.OCX
CODEBASE = http://www.newtopsites.com/fswinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37641.4552314815

[WebPlayer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWAUDIO.DLL
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab

--------------------------------------------------
End of report, 8,212 bytes
Report generated in 0.345 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Go here and run an online virus scan, http://housecall.antivirus.com/

This entry is still there:
ShellEx = C:\WINDOWS\SYSTEM\SHELLEX.exe

After that, Navigate to C:\Windows\Downloaded Program Files.
Right click on everything in turn and choose properties. If the copyright info doesn't list Microsoft, Macromedia, or Apple delete it.

so i installed the software and got rid of two infected files. but for some reason the shekkex.exe still comes up every time i restart the computer even when i go in to regedit and delete that file. And my comp still hangs when i try and shut it down .. please help

Run StartupList from a command prompt and use the /complete switch:
Click Start > Run and copy and paste the following in and hit enter.
Then copy and paste the results in a reply

C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE /Complete

Also, What virus did Housecall say those files were infected with?
Do a find files for Rundll32.pin and delete it if found.

StartupList report, 2/11/2003, 10:16:19 PM
StartupList version: 1.51
Started from : C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\UNZIPPED\STARTUPLIST151\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LexStart = Lexstart.exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
NPROTECT = C:\Program Files\Norton Utilities\NPROTECT.EXE
KAZAA = C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
seticlient = C:\Program Files\SETI@home\SETI@home.exe -min
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
Advanced Tools Check = C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 11/2/2003, 11:52:28)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\CONFLICT.1\IEGATOR.DLL
NUL=C:\WINDOWS\DOWNLO~1\IEGATOR.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.25.44/16396aa3348df0843919/netzip/RdxIE.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/public/investor/v9/ticker.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[CFForm Runtime]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://icn2.umeche.maine.edu/CFIDE/classes/CFJava.cab

[MSN Chat Control 4.0]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT40.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat4.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Popup Window Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEPOPWND.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/iepopwnd.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37641.4552314815

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXISCAMCONTROL.OCX
CODEBASE = http://130.111.231.69/activex/AxisCamControl.cab

--------------------------------------------------
End of report, 6,168 bytes
Report generated in 0.115 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


and there was no run rundll32.pin on my computer

Did you run this last startuplist from a command line using the /complete switch?

Do this, Click Start > Run > type win.ini and click OK.
Look at the load= and run= lines. Is there anything listed after the = sign of either line?

Then click Start > Run > type system.ini and click OK
Look at the Shell= line, What is listed?

when i run win.ini there is not nothing on the run= line and for the Load it looks like this --> load=load=load=load.
and for the system.ini for the shell like it is shell=explorer.exe

Open the win.ini and edit the Load= line so it reads Load=
Then close it and save the changes.

ok the load= line is clear. is there anything else i have to do? thanks