# Very Slow Network, but Internet is running fine



## tjcrm (Dec 5, 2005)

*Just in the last couple of weeks* my win98 computer started to lock up several times a day, it restarts by itself when no one is even near the computer, but the most annoying thing has been that I could not connect to the other computers on my network or vice versa.

I ran adaware, spybot, ccleaner, avg antivirus, aol spyware protection and trendmicro. I ran defrag and checked the hard drives for errors. Now when I click on my network places I can at least "see" the other computers. Before I would click on a folder on the desktop and it would not open, I had to click on it four times before it would open.

When I click on another computer in the network it takes a really long time to open that file. Of course I have the file I need nested in several folders, which can take 20 minutes to open 3 folders. Then if I want to copy one (small) file it takes over a half hour and most times reports an error of timed out or that the file is not accessible. My other computer is winxp. The winxp computer also takes a long time to connecting to the win98.

Since the win98 computer has frequent lock ups, I only try to access the network after I have rebooted and it still takes forever.

I would appreciate any help to resolve this problem.

Oops, forgot to include that this started happening around the time I got FiOS and a new all-in-one broadband router DI-604.


----------



## Randolf34 (Nov 28, 2005)

Often it is just simple system files in 98. Make sure the drivers for the new router were
written for 98. If you are running more than 1gb of ram expect trouble as well with 98.
This sounds more like a memory related issue.

One thing you can try is to enter a line in the i386 section of the system.ini file. Here
you will have to boot from the 98 startup floppy and add this line by a manual change
to the windows directory and edit of the system.ini file. Once you have opened it up by
entering C:>windows\edit system.ini and pressing the enter key, type in:
"MaxPhysPage=30000" at the bottom of the i386 section. Then press the alt key for an
exit menu to appear. Using the tab key, scroll down to "save as" scrolling after to ok.
After the save the overwite has been done, press the alt key again and then the down
arrow to highlight the exit. After exiting the manual editor, reboot the system.

Running scandisk /all is another method of correcting errors in 98. Before rebooting the
system, run this as well. See if this corrects this problem. post results.


----------



## sammysosa (Nov 25, 2005)

Randolf34:

Your entire post is complete nonsense; you've posted so many factual errors, I hardly know where to begin correcting them.



Randolf34 said:


> Often it is just simple system files in 98. Make sure the drivers for the new router were written for 98. If you are running more than 1gb of ram expect trouble as well with 98.


Since when does a router use a driver? Routers are stand-alone devices; they are not INSTALLED in Windows, they are not CONTROLLED by Windows, so there is no such thing as a router "driver". If you've installed a driver for YOUR router, let me know which router it is, and which driver you're using. I have three routers on my home networks, running eleven computers, which use various Windows and Linux operating systems; not ONE of those computers has a driver installed for a router.



Randolf34 said:


> This sounds more like a memory related issue.


How did you arrive at THAT conclusion? If this really IS a memory related issue, where is your advice on how to test the memory and correct the problem?



Randolf34 said:


> One thing you can try is to enter a line in the i386 section of the system.ini file. Here you will have to boot from the 98 startup floppy and add this line by a manual change to the windows directory and edit of the system.ini file. Once you have opened it up by entering C:>windows\edit system.ini and pressing the enter key, type in:
> "MaxPhysPage=30000" at the bottom of the i386 section. Then press the alt key for an exit menu to appear. Using the tab key, scroll down to "save as" scrolling after to ok. After the save the overwite has been done, press the alt key again and then the down arrow to highlight the exit. After exiting the manual editor, reboot the system.


In fact, there are MULTIPLE ways to edit ANY .INI file from within Windows; old-timers with roots in Win3.x tend to prefer using Sysedit, which is in the Windows folder in Win9.x, and in the WinNT\System32 folder in Win2k. You can also open any .INI file in Notepad, Wordpad, or ANY text editor; if you prefer to use DOS, you can open them with EDIT from within Windows, or by rebooting the system directly into DOS; no need for a bootup floppy at all. In fact, booting from a Windows bootup floppy just to modify an .INI file seems rather drastic to me, and not something I'd suggest unless I knew that the person I was advising was familiar with using DOS. Maybe you didn't notice it, but tjcrm is a self-described beginner, and not likely to know his (or her) way around a DOS prompt.

You also didn't mention changing the CMOS settings so the system will boot from the floppy disk, instead of booting directly from the harddisk, but the odds are at least 50 / 50 that the system will find the floppy at bootup, so you might have dodged a bullet there.

Furthermore, there is no such thing as an "i386" section of the SYSTEM.INI file in Win9.x; you're undoubtedly referring to the [386Enh] section, though I have no idea why you would suggest changing the value of the "MaxPhysPage" setting. If you can provide a specific reason for making this change, then do so; I'd really like to know your thoughts on this.



Randolf34 said:


> Running scandisk /all is another method of correcting errors in 98. Before rebooting the system, run this as well. See if this corrects this problem. post results.


Amazingly, you've just advised tjcrm to run Scandisk BEFORE rebooting the system, though in your previous paragraph, your last instruction was to reboot the system. Unless tjcrm can travel back in time, I don't see how that would be possible. You neglected to mention removing the floppy disk from the floppy drive BEFORE rebooting, so by following your instructions, tjcrm will NEVER be able to boot back into Windows.

This doesn't seem to be a problem with the file system at all, so I fail to see how using Scandisk would help this individual. Even worse, though you've advised him to run Scandisk in DOS from the bootup floppy, you've neglected to post advice on how to CORRECT any errors that Scandisk might find...

Well, I can only hope that I've posted this reply in time to keep tjcrm from becoming a victim of your incredibly bad advice. With any luck, he didn't understand any of it; I admit, I certainly can't understand the logic behind it, and I tend to doubt that you even applied logic to solving these problems before you decided to post here.

FWIW, I suspect that the D-Link router might need a firmware upgrade, and that the network settings need some changes, but right now, I'm more concerned with trying to prevent you from damaging someone's system with "advice" you seem to have pulled from the ether.

I'm looking forward to your explanation as to why you've posted such bizarre advice to someone who needs help solving what are most likely some basic networking problems...


----------



## Randolf34 (Nov 28, 2005)

http://support.microsoft.com/default.aspx?scid=kb;en-us;253912 explains issues with 98 when large amounts of memory are installed.

For any version of Windows to access any dsl or other router you must first install the appropiate "network adapter" which requires drivers to be installed in Windows. The run of scandisk reference was while having been at the dos prompt before rebooting with the hard drive after the system.ini file had been edited. The need for that edit depends on how much memory is installed.


----------



## sammysosa (Nov 25, 2005)

Randolf34:

It seems that you're making several assumptions here, and you also seem to be confusing "network adapters" (which are NICs, Network Interface Cards) with ROUTERS, which are different animals altogether.

First of all, NOWHERE in the original post was there ANY mention of ANY amount of RAM, so your remarks about "running more than 1gb of ram" seem to have no basis in fact.

Secondly, you haven't explained why you stated that "This sounds more like a memory related issue"; I couldn't disagree more, so I'd STILL like to know how you arrived at that conclusion.

Unfortunately, that Microsoft webpage link you've just posted doesn't justify your comments about editing the system.ini file with a bootup floppy, or changing the "MaxPhysPage" value, especially since you don't know what that value currently is, or even if it should be changed at all. There is no reference to making that change on the Microsoft webpage; that page suggests changing the "MaxFileCache" cache setting to limit the amount of RAM Windows 9.x attempts to address, but that has NOTHING to do with the issues presented in the original post.

Your suggestion to run Scandisk (from the bootup floppy, in DOS) seems to be yet another shot-in-the-dark, since there was no indication of problems with the file system; I'm beginning to wonder if you actually understand the problems referred to in the original post. Jumping to conclusions only proves that you know how to jump to conclusions, not that you're in any way qualified to advise people in computer repair.

Your intentions may be good, but that factor also fails to qualify you to give advice to people who post here seeking help. This quote from the original post should have given you SOME idea of what to focus on, but you seem to have missed it entirely:

"Oops, forgot to include that this started happening around the time I got FiOS and a new all-in-one broadband router DI-604."

I'll admit, I had no idea what "FiOS" is until I Googled the term, but I figured it MUST have something to do with broadband, especially because the (D-Link) DI-604 router was mentioned in the same sentence.

MY advice to tjcrm would be to install HiJack This, then post the log files here ASAP, so we can see what kind of 'net nasties have infected these systems (yes, I suspect that the XP system is ALSO infected, though I hope I'm wrong about that). Once THOSE problems have been dealt with, I'd suggest installing a software firewall on each system, checking for a firmware upgrade for the router, and checking the network settings, just to cover all the bases. However, I WOULDN'T advise running Scandisk from DOS (after booting the system from a floppy), nor would I suggest making changes to the "MaxPhysPage" settings in the system.ini file for an unrelated (and probably non-existent) issue with "more than 1gb of ram", or anything else even remotely related to the advice YOU posted.

Lastly, I STILL don't understand why you wrote that "This sounds more like a memory related issue", and I guess I never will.


----------



## Randolf34 (Nov 28, 2005)

tjcrm said:


> *Just in the last couple of weeks* my win98 computer started to lock up several times a day, it restarts by itself when no one is even near the computer, but the most annoying thing has been that I could not connect to the other computers on my network or vice versa.
> 
> I ran adaware, spybot, ccleaner, avg antivirus, aol spyware protection and trendmicro. I ran defrag and checked the hard drives for errors. Now when I click on my network places I can at least "see" the other computers. Before I would click on a folder on the desktop and it would not open, I had to click on it four times before it would open.
> 
> ...


 With both systems having extended delays on normal activities you may also
consider that there may invalid registry entries as well as crossed linked files.
Sometimes these are referred as orphaned registry values that have no known
association to installed software. If you have recently made any changes in
the software on either or both machines, a registry cleaner could help.

What these do is repair crosslinks as well as indicated which entries can be
removed without effecting the system since they are not directly connected
to any installed softwares. One that could be recommended here is found at:
http://www.majorgeeks.com/downloads15.html

The one to look for is the one called RegCleaner which has utilities to remove
any invalid registry keys. These can often cause system lockups in Windows.
Windows will stall while trying to find where the program is located that is no
longer installed on the system. The one listed here will work with XP as well as
with 98.


----------



## tjcrm (Dec 5, 2005)

First I would like to state that I am a total beginner here. 

I have 320 mb ram installed -- way less than 1 gb. I did not try anything yet that Randolf34 suggested.

I did download "hijack this", but then there were several Adobe errors and I could not get the file to work. I tried twice and both times Adobe reported error of two files trying to access the same file (or something like that) and shut down. I tried to high light and copy and paste but "hijack this" doesn't let you do that. Is there something else I can do?

I am running zone alarm (free version) on both machines. FiOS is a Verizon FiOS high speed broadband internet connection. Of course the verizon installers didn't give me a manual for the DI-604 router, not that I'm sure I would be able to understand all of it anyway.

I was thinking it might be something in my router settings, but I don't think it is something in zone alarm because I can "see" the other computer -- it just takes a long time to access the files (compared to what it used to be). I wouldn't even know where to begin to figure out what settings in the router need to be changed.

Thanks for your help.


----------



## sammysosa (Nov 25, 2005)

Hi, tjcrm,

First, as much as I hate to do this, I have to ask you to disregard ALL advice posted by Randolf34; his scatter-gun approach to your problems indicates that he really doesn't have a clue about how to help you.

We'll deal with this logically, taking one step at a time, in order to figure out how best to help you resolve this. We'll need to check BOTH of your systems, so for the time being, I have to ask you to shut down your WinXP computer, and leave it off until we've got everything straight with the Win98 system. After that, you'll need to shut down the (repaired) Win98 system, and use only the WinXP system. Otherwise, your repaired system could be reinfected from your home network, which would mean starting over from scratch.

I'm not POSITIVE that you have "malware" hiding on your system, but we'll need to run Hijack This in order to be sure your system is clean before we do anything else. HJT will show us some of the programs that are installed on your system; we're most concerned with those that load automatically at startup. Among other things, malware can corrupt your networking Registry settings, and the quickest way to know the condition of your system is to scan it with HJT.

Though your computers seem very well maintained (judging from everything you've mentioned in your first post), we'll use HJT to examine one system at a time. If the Win98 system is clean, we'll move on to the next step. If HJT reveals any problems, we'll eliminate them and get your system a clean report from HJT before we deal with your network problems. The LAST thing we want to do is to re-infect a clean system, so again, I'd like you to begin working on the Win98 computer, and shut the other one off until we're finished with the Win98 system.

I will post complete instructions for downloading and installing Hijack This, for the benefit of anyone who reads this in the future. There is no sense in starting this repair in the middle of the process.

Keep in mind that it is best to close all open programs before you run HJT; you can keep your browser open to this page if you need to, or you can copy and paste these instructions into Notepad, save the file as "HJT_help.txt" (or whatever you prefer), then print the instructions so you'll have a hard copy to refer to as you work.

BTW, you can eliminate the problems caused by Adobe by pressing Ctrl-Alt-Del ONCE, then highlighting the Adobe program and clicking the "End Task" button. Kill all references to Adobe, Acrobat, Acrobat Reader, AcroRD32, and so on. Once you've stopped those Adobe programs from running in the background, you should be able to run HJT without a problem.

I've copied (and slightly modified) the following instructions from another post (to save time typing); they were originally posted by one of the administrators of this website (thanks, Cookiegal!).

First, download the latest version of HJTsetup.exe from this link:

http://www.thespykiller.co.uk/files/HJTsetup.exe

* Save HJTsetup.exe to your desktop.

* Double-click on the HJTsetup.exe icon on your desktop.

* By default, it will install HJT to C:\Program Files\Hijack This.

* Continue to click Next in the setup dialog boxes until you get to the "Select Additional Tasks" dialog.

* Put a checkmark by "Create a desktop icon", then click the "Next" button.

* Continue to follow the rest of the prompts from there.

* At the final dialog box click on "Finish"; that will start the Hijack This program.

* Click on the "Do a system scan and save a log file" button. HJT will scan your system and then ask you to save the log.

* Click "Save" to save the log file, then the log will open in Notepad.

* Click on "Edit > Select All", then click on "Edit > Copy" to copy the entire contents of the log.

* Come back to this thread and paste the log in your next reply.

* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless, or even required.

Once you've posted your HJT log, we'll advise you on what to do next. If your system shows no problems, we'll check your network settings. If HJT lists any suspicious entries, we'll deal with them and wait for HJT to give you a clean bill of health.

I realize that this is a long post, so I've tried to emphasize the important points several times, to help you understand the methods we'll use to check your systems. Running HJT is the first step to solving your problems, so I'll watch for your reply to this; I hope to see a fresh HJT report from you soon.

Good luck; if you have any questions, feel free to post them here.


----------



## tjcrm (Dec 5, 2005)

Ok, this took a little doing ... adobe kept opening and I kept closing it. Finally I figured out how to "sendto" notepad. Here it is and thanks!

Logfile of HijackThis v1.99.1
Scan saved at 11:44:16 PM, on 12/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA36FBC4-A99E-11D2-95D8-00C04F72DFAB} (Slider Class) - http://homeadvisor.msn.com/ie/bin/finders.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarnival.com/Jambalib.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/yws0_x.cab
O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/composer/1.5.0.223/SLCmpser.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab


----------



## sammysosa (Nov 25, 2005)

Just want to let you know that I saw your HJT log as soon as you posted it. I'm glad you were able to copy and paste it here, because that is a skill you can use frequently.

I've found some things in your log that have me concerned, so I'm researching them now. This will take me a while, but I'll post a reply as soon as I finish my research.

From what I can see, your system has been around the block a few times; there are files from AOL, Weatherbug, McAfee, Gateway, and other companies, some of which you probably don't need now, so we'll do what we can to eliminate some of the junk loading at startup (which consumes your system resources and slows the computer down). I also suspect that some of your networking settings within the Registry are corrupted, so we'll deal with that after we get your system back into fighting shape.

Please do NOT run any type of Registry cleaner; we want to make some changes and repairs, not delete Registry keys you actually need. I can only ask for your patience while I go through your HJT log; I'll post again after I make a complete list of the things you need to repair with HJT. After that, you'll need to run HJT a second time, and post a fresh log, so we can be sure the system is clean. THEN, we'll tackle your Registry and networking settings, and then we'll move on to your WinXP system.

Keep the faith, tjcrm; I'm taking care of a sick relative while I do this, so it will be a while before I post again, but I AM working on this, and don't want you to think I'm neglecting you.


----------



## sammysosa (Nov 25, 2005)

Hi again, tjcrm,

I'm still researching your HJT log, but while I finish that, I'd like you to consider removing Weatherbug from your computer. I consider it to be just another parasite that few people really need. It is often installed with AOL; AOL installs it on your system only because they get paid to do so by Weatherbug.

Here's the link:

http://www.pchell.com/support/weatherbug.shtml

If you decide to remove it, you can follow the directions on the page; it will be one less program clogging up your harddrive. For the time being, don't be concerned with removing the Registry keys created by Weatherbug (as mentioned on that PCHell webpage). Once everything is working properly, you can download and run Crap Cleaner to scrape all of the trash out of your Registry.

Also, since we know that Verizon is your new ISP, I'd like know if you'd like to remove some of the junk (toolbars and buttons) left on your system by AOL. You don't have to remove them, but it certainly won't hurt anything.

You also have several "MP3" buttons, which I suspect were installed by Real Networks; unless you use them, I'd like your permission to remove those. Real loads a LOT of garbage on your system, and I consider it intrusive. We can make it a lot more user-friendly for you, but I need to know how you feel about it. We can set it to run only when you need it, instead of allowing it to load into memory every time you boot your system. It is consuming system resources each time you turn your computer on, even though you might not use it very often.

Let me know what you'd prefer to do about the old AOL toolbars and buttons, and those Real and MP3 buttons (all of which are now part of your browser) and I'll post the HJT fix-it list as soon as I finish my research.


----------



## Randolf34 (Nov 28, 2005)

Need reliable weather without adwares or spywares, http://www.noaa.gov/


----------



## tjcrm (Dec 5, 2005)

Thank you for taking the time to research my problems. I hope that your relative will be well soon. I will pray for them.

I followed the directions to remove weatherbug, but I do not have it running on my system so that must just be a leftover registry key. I looked at the C: drive and found the folder AWS and it was empty. (I currently have show hidden files enabled.) 

We can get rid of the MP3 buttons, I rarely use this program. 

I want to say that we can get rid of the AOL toolbars and buttons, but I still use AOL. I don't necessarily need them at startup though. I have kept AOL because I am very comfortable with the address book features and can easily send out mass mailings to the scouts. I am way less comfortable sending out the mail through my verizon account or even from the aol.com site. I have them set as two groups scouts and leaders groups and send them as bcc. So I am not ready to get rid of AOL yet -- soon, when my son (HOPEFULLY) makes Eagle. 

Again, thanks for taking the time to help me.


----------



## sammysosa (Nov 25, 2005)

Thanks for the update; now I can finish typing the instructions for you on how to clean your system with HJT. I'll post that as soon as I can, though I'm trying to get ready for work while I do this, so I must ask for your continued patience.

I was tempted to post instructions on how to show hidden files (I'd just finished typing them, in fact) when you posted, so we won't have to deal with that.

My elderly uncle is doing better this morning, and thanks for your concern.

Best wishes to your son; the world needs more Eagle Scouts.

Just so you'll know, I didn't find anything malicious on your harddrive, but there are several items that should be dealt with. I expect we'll be able to check the XP system fairly soon, and then we'll deal with the network settings.


----------



## sammysosa (Nov 25, 2005)

OK, we're ready to begin cleaning your system. Follow these instructions, and we'll soon know if we got your system cleaned.

First, boot the system into Safe Mode. You can do this in Win98 by holding down the Ctrl key during boot up. That will load the bootup menu, where you can choose the option of booting into Safe Mode.

Once you get to the Desktop, run HJT again, and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

Next, click the "Fix Checked" button, and when HJT finishes, close it, then reboot your system normally (not in Safe Mode).

When you get back to the Desktop, run HJT again, then post the log file here, so we can make sure everything went as planned.

Good luck; there is no rush on this, so you can run HJT at your convenience.


----------



## tjcrm (Dec 5, 2005)

I followed your directions. The only thing I was unsure about was the last line

016 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

I did not delete this in HJT because this is a game that my son plays on line. I did not know if this was going to mess it up for him or not.

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:17:25 PM, on 12/06/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
D:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA36FBC4-A99E-11D2-95D8-00C04F72DFAB} (Slider Class) - http://homeadvisor.msn.com/ie/bin/finders.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarnival.com/Jambalib.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/yws0_x.cab
O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/composer/1.5.0.223/SLCmpser.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

As always, thanks for your help.


----------



## tjcrm (Dec 5, 2005)

OH NO!!!!
I know you said not to turn on the xp computer, but I have lost all internet access on the win98 computer. I plugged my daughter's laptop in and am currently using that. 

Also gone from the win98 computer are the ONLY icons I had enabled on the taskbar (next to the date) AVG and Zone Alarm. I thought maybe they just didn't load the first time so I rebooted and they still did not show up. 

I am getting a bad feeling.


----------



## tjcrm (Dec 5, 2005)

I was getting nervous so I reverted the drive back to right before I did the HJT -- well the icons came back, but I am still unable to get on line with the win98 machine.


----------



## sammysosa (Nov 25, 2005)

Just saw your most recent posts; I've got a meeting to attend with my uncle's doctors, so I'll be offline for the next several hours or so, but I'll help you correct this when I return. I don't know which time zone you're in, so all I ask is that you check back here when you have time, and I'll walk you through this next time we are online together.


----------



## tjcrm (Dec 5, 2005)

I hope that the doctors have good news to report.

I am in the Eastern Time Zone.


----------



## tjcrm (Dec 5, 2005)

HOORAY! I the internet connection is back. 

I moved all the cat 5 cables around and found out that the wire had come loose from the back of the computer. I feel like an idiot that it took me this long to check something I should have looked at right away.


----------



## Randolf34 (Nov 28, 2005)

sammysosa said:


> Hi again, tjcrm,
> 
> I'm still researching your HJT log, but while I finish that, I'd like you to consider removing Weatherbug from your computer. I consider it to be just another parasite that few people really need. It is often installed with AOL; AOL installs it on your system only because they get paid to do so by Weatherbug.
> 
> ...


And all it was is a simple cable connection.


----------



## tjcrm (Dec 5, 2005)

Oh now I feel even stupider. I didn't realize that the lose cable was causing the slow network responses. Sure enough I just checked the network and everything is running as it should. Even my broadband connection is faster. 

I never thought to check the cable in the back of the computer after the service men installed it. Usually they "click" in place.

I'm sorry for wasting your time. On the upside, I have learned from this mistake. Thanks for all your help.


----------



## sammysosa (Nov 25, 2005)

Randolf34:

How do you CONSISTENTLY manage to misunderstand so many different issues? The INTERNET connection was NEVER a problem, for either the Win98 computer, or the WinXP system.

I suggest that you re-read the title of the thread:

"Very Slow Network, but Internet is running fine"

In plain English, that means that the INTERNET connection was WORKING, while the HOME network has some problems.

Recently, the INTERNET connection to the Win98 system FAILED, because of a loose cable. The cable problem occurred AFTER tjcrm made the changes I suggested through the Hijack This program, which is why tjcrm was concerned that Hijack This caused the loss of the INTERNET connection. The truth is, the loss of the Internet connection after making those changes with HJT was merely a coincidence; one had NOTHING to do with the other. NONE of the changes I recommended in HJT could have caused the loss of the INTERNET connection, so the NEW problem accessing the INTERNET had to have been caused by something else. The loose cable is proof of that; cables still come loose on occasion, and tjcrm did the right thing by checking the simple things first. You might have noticed that this HARDWARE problem was solved WITHOUT booting from a floppy disk, or making any changes to the system.ini file, or reformatting the harddrive, or replacing Windows with Linux.

The simple fact is, ALL of my advice to tjcrm is STILL valid, whether you understand any of this or not. Once again, I suggest you read and try to comprehend ALL of the posts in a thread BEFORE you decide to reply. I keep thinking that the NEXT time you post, you'll actually contribute something of value, and you keep proving me wrong.

tjcrm:

My uncle had a heart attack in the car on the way back from the meeting with his oncologists; I had to race him back to the ER, which took about ten minutes. I can only guess that the news from the doctors distressed him more than anyone realized. He's been sedated, so I came home to help you with the Internet problem, and I'm glad to know you found and resolved it on your own, which is excellent troubleshooting on your part.

Your new HJT log looks fine, so it looks like you've got everything under control. Of course, you COULD run HJT on the WinXP system, then post the log here for a quick once-over, and that would give you the peace of mind in knowing that BOTH of your systems are clean.

No matter what else you decide to do, I would like to suggest that you download and install two free programs onto both computers; one program will protect your systems from MANY types of malware, and the other will clean the junk from your harddrive, including the temp files, the IE Temporary Internet Files folder, old Zone Alarm logs, and even those annoying INDEX.DAT files that are so difficult to remove. They get larger over time, though they don't serve a useful purpose.

The program which will protect your system is SpywareBlaster. Once you install it, you should download the updates and set it to protect your browsers. I consider it invaluable, and it is only 2.5MB, so the download will be quick.

You can learn more and download SpywareBlaster from here:

http://www.javacoolsoftware.com/spywareblaster.html

The registry cleaner is Crap Cleaner. You can set it to clean a LOT of junk off your harddrive, and also use it to backup, clean, and compact your Windows Registry. Compacting the registry makes it load faster, and speeds up searching for problems, by eliminating the empty spaces left behind by uninstalled software (like Weatherbug).

You can learn more and download Crap Cleaner from here:

http://www.ccleaner.com

Feel free to post the WinXP HJT log here (just follow the same steps we posted for the Win98 system), and I'll be glad to let you know if there is anything to be concerned about.

Lastly, I want to congratulate you once again for solving your problem accessing the 'net (which also solved the problem with your home network), and to thank you for your patience through all of this.

Best wishes, and I do hope your son will continue to pursue Eagle Scout. One of my nephews made Eagle last year, and we couldn't be prouder of him.

Sam


----------



## tjcrm (Dec 5, 2005)

I am so sorry to hear about your uncle. I will keep him in my prayers.

I already have ccleaner on all three computers. And I just downloaded SpywareBlaster as well. Thank you for the tips.

Here is the log for the WinXP computer.

Logfile of HijackThis v1.99.1
Scan saved at 8:18:36 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLServiceHost.exe
c:\program files\common files\aol\1103575608\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\paprport\pptd40nt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLServiceHost.exe
f:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103575608\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoloSentry] \\0016714908\d\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] \\0016714908\d\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PaperPort PTD] f:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [BookmarkCentral] F:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\RunServices: [AOL Messenger Optimized] AOLMessenger.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PPWebCap] f:\PAPRPORT\PPWebCap.exe
O4 - Startup: HotSync Manager.lnk = F:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

If you wouldn't mind could I also post the HJT log for the laptop?

Thanks so much for your help.

Roseann


----------



## sammysosa (Nov 25, 2005)

Just came home from the hospital; I'll check your HJT log and post again before I go back. Please do post the HJT log from the laptop; let's go for the hat trick here, and then you'll know your systems are clean and protected better than ever.

Once again, let me thank you for your patience and consideration; my uncle is struggling right now, but I know my presence makes things easier for him, so I'll stay with him until he's released.

Anyway, I'll post again as soon as I finish checking the HJT log from your WinXP system, and I'll check the laptop log next time I can get to a computer.

Keep the faith, you're doing fine, and the finish line is almost within sight...

Sam


----------



## sammysosa (Nov 25, 2005)

OK, I did a quick run-through of the first WinXP system HJT log. You only have two orphans showing in the log; please have HJT fix these, reboot your system, run HJT a second time, and post the new WinXP system HJT log file.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

I'll check the second WinXP log as soon as I can, and then we'll take care of your laptop HJT log.


----------



## tjcrm (Dec 5, 2005)

Here is the log after I removed those two entries:

Logfile of HijackThis v1.99.1
Scan saved at 4:29:48 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLServiceHost.exe
c:\program files\common files\aol\1103575608\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
F:\paprport\pptd40nt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1103575608\ee\AOLServiceHost.exe
C:\WINNT\explorer.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\America Online 9.0c\shellmon.exe
F:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103575608\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoloSentry] \\0016714908\d\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] \\0016714908\d\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PaperPort PTD] f:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [BookmarkCentral] F:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\RunServices: [AOL Messenger Optimized] AOLMessenger.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PPWebCap] f:\PAPRPORT\PPWebCap.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.EXE" -b
O4 - Startup: HotSync Manager.lnk = F:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Thanks for your help again.


----------



## sammysosa (Nov 25, 2005)

Just came in from the hospital; I expect to be back there within two hours, but I didn't want you to wait any longer than necessary for me to check your HJT log.

The good news is, your new WinXP HJT log is clean, so please post the laptop HJT log when you have time.

I've been in such a rush recently that I've neglected to mention that your systems have some apps loading at startup, such as this one on the XP system:

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

These apps (this example is for the Adobe Acrobat Reader), are nothing more than bloatware. Programs like this one (reader_sl.exe) are designed to preload parts of the main program (Acrobat 7.0) into system memory at startup, which serves no purpose at all for the vast majority of users, except to consume system resources. Of course, that only makes your computer run slower than it normally would. You'll sometimes notice an icon in the system tray for the app; those icons also consume system resources, and most of them are completely unnecessary. For the most part, they only serve as advertising for the app, which doesn't provide any benefit for the computer user.

Anyway, we'll deal with those startup apps after we know your systems are clean and protected; you should notice a distinct improvement in the time it takes to boot each system once we eliminate those parasites, and every other program you use should load faster, because the bloatware will not be hogging the RAM.

I'll check for your laptop HJT log next time I can get online. In the meantime, you're probably going to have a lot of snow to deal with, so stay safe and warm.

Thanks for your continued patience; I'm not trying to drag this out any longer than necessary, but my time is severely limited right now...

Sam


----------



## tjcrm (Dec 5, 2005)

I hope your uncle is doing better today. I realize that you have extenuating circumstances and I am greatful for all the help you can give me.

Here is the HJT log for the laptop:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:07 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Common Files\AOL\1120396365\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1120396365\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1120396365\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120396365\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120105028330
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Whenever you get the chance, I will be happy if we could cleanup the bloatware.

Thanks again,
Roseann


----------



## sammysosa (Nov 25, 2005)

Well, the BAD new is, one of the laptop entries needs to be removed; it is the remnant of a browser hijacker that has been partially uninstalled. Old versions of Ad-Aware had problems completely removing this type of software, which is referred to as a "Layered Service Provider" program.

When the LSP software is installed, it acts as a middleman in the Windows TCP/IP handler (the part of Windows which manages the Transport and Control Protocol / Internet Protocol, which is needed for many types of network access). It adds another layer to the protocol stack, which means one more process that can cause networking and Internet access problems.

Since the laptop seems to have been partially cleaned of this malware (my guess is the Spybot S&D found it and tried to remove it), you should download the latest version of Ad-Aware to eliminate any fragments of the LSP that Spybot missed previously. Then, remove the pointer found by Hijack This, and post a new HJT log, so we can double-check everything.

You can find the latest version of Spybot S&D here:

http://www.safer-networking.org

Once you've run Spybot, fix this with HJT:

O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing

then reboot the system, run HJT, and post the new log.

If running Spybot doesn't completely repair this problem, there is another method which is somewhat involved, so we'll try doing this the easy way first. Please let me know if the new version of Spybot finds and removes this for you; since it seems that you have only fragments of this LSP still on the system, Spybot might not know how to handle them,

As I've mentioned previously, once we've got a clean bill of health from HJT, we'll deal with all the crapware loading when you boot those systems into Windows, and you'll have the peace of mind of knowing that you're working without all those resource hogs running in the background.

I'll check for your new HJT log as soon as I can. My uncle is doing as well as can be expected, and I'm doing my best to keep him focused on improving his health. He's sick and exhausted, but if he can make it home before Christmas (too early to tell), I think his outlook will improve tremendously.

Sam


----------



## tjcrm (Dec 5, 2005)

I followed your directions, SpyBot S&D did not find anything and Ad-Aware found 1 item and it was not that one.

So I proceeded to run HJ This. It came up with this box:

"HJT cannot repair 010 Winsock LSP entries. You should use LSPFix for that,
which is available from http://www.cexx.org/lspfix.htm

If the 010 item belongs to WebHancer, New.Net or CommonName, Spybot S&D 
can remove it automatically. SpyBot S&D is available from http://www.spybot.info"

When I went to the website www.cexx.org/lspfix.htm it stated that it does not delete any files. I was unsure how to proceed.

"Unfortunately, this type of software is sometimes quietly installed by unrelated 
software such as file-sharing programs, sneaking onto a system unannounced. In 
fact, in many cases, the user does not know of its existance until something goes 
wrong, and he/she can no longer access Web sites. Common offenders include 
New.net* (NEWDOTNET) and WebHancer*, which are often bundled with file-
sharing utilities, DVD player software, and other free downloads. LSP-Fix repairs 
the Winsock LSP chain by removing the entries left behind when LSP software is 
removed by hand (or when errors in the software itself break the LSP chain), and 
removing any gaps in the chain. "

"LSP-Fix is not a malware removal utility and does not target specific products. 
LSP-Fix does not delete any files. "

Of course it could not be easy.

Thanks for your help again.

Roseann


----------



## Randolf34 (Nov 28, 2005)

You may the article at microsoft a little more helpful in understanding the installation
of LSPs for use with Winsock. http://msdn.microsoft.com/library/d...comm5/html/wce50conlayeredserviceprovider.asp


----------



## sammysosa (Nov 25, 2005)

That "LSPfix" program is exactly what you need to deal with this. Yes, it is not as simple to correct this problem as I'd prefer, but I'd rather do this than shovel more snow.

Allow me to provide my own interpretation of the next paragraph:

"LSP-Fix is not a malware removal utility and does not target specific products. LSP-Fix does not delete any files."

The author of "LSPfix.exe" does not want to be sued by any of the goons who create LSP programs, nor does he want his website or server to become victimized by those clowns. By posting that his software does not target any SPECIFIC products, that it does not delete any files, and stating that his program does not remove "malware", he is cleverly trying to avoid any legal entanglements. If he claimed that his product was designed to remove malware, then by default, he is defaming the company that wrote the LSP program; if "LSPfix.exe" targets malware, then he is defining the programs that it affects as malware, and you wouldn't believe the lawsuits clogging up the courts right now over that exact issue.

You found the right website, and you WILL need to use LSPfix.exe, which you can download directly from here:

http://www.cexx.org/LSPFix.exe

There are some problems we MIGHT encounter with using LSPfix; you need to read through one more webpage carefully so you understand that bad things can happen, but that there ARE ways to recover from them. I've given this a lot of thought all day, and from what you've posted here, I can't see any reason not to run LSPfix on your laptop.

Please read this page (yes, I realize you've already read the page at least once, but I'm posting this information in case anyone else needs the same advice in the future):

http://www.cexx.org/lspfix.txt

Before you do that, I WILL ask you to pay close attention to the section of that webpage marked ** IMPORTANT **, just so you won't worry about the possible (TEMPORARY) loss of 'net access from the laptop. Before we found out about your loose CAT5 cable, I was prepared to step you through the exact same process of manually removing, and then reinstalling, your networking components, so you still might have a chance to learn how to do that, if the entire laptop repair isn't completed by running LSPfix.

If nothing else, LSPfix will correct 90+% of the problem; as long as you can get online from another system, we can handle the rest of this repair without breaking a sweat.

Anyway, to keep this simple, take it by the numbers:

1. Read this webpage, paying close attention to the section marked ** IMPORTANT **:

http://www.cexx.org/lspfix.txt

2. Take a deep breath, then close all open programs. Download, install, and run LSPfix.exe. Pressing the "Finish" button will remove any junk entries, then consecutively renumber the remainder, as required by Windows. You'll also see a summary of the changes made to the system.

3. Reboot the laptop; when you get back to the Desktop, open your browser, then try to open any webpage (the Google website should load quickly, for example, since there is almost nothing on it).

4. If the Google page opens, try to open

http://www.boingboing.net

5. If BoingBoing opens, your system is working properly. If not, post here and we'll use the tutorial at

http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dun_1.3/5289.psc.html

to walk you through the proper method of completing the work that LSPfix began. Though you're running WinXP on that system, the process is almost exactly the same as for the one shown for Win98. Check that page to get familiar with the process; start from this heading (look for the blue bar running across the page):

How to Uninstall and Reinstall Communications and Edit the Registry

It LOOKS complicated, but you can handle it, if you take your time and follow the steps in order.

Good luck; if the laptop can't connect to the 'net, the TSG forums are (almost) as close as your keyboard...


----------



## tjcrm (Dec 5, 2005)

Ahhh. That seemed painless. I did not have a problem when I rebooted the laptop and was able to access google and boingboing.net

I then ran the HJT log for the hopefully "cleaned" system. Here is the copy of that log:

Logfile of HijackThis v1.99.1
Scan saved at 9:09:20 PM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1120396365\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\AOL\1120396365\ee\AOLServiceHost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120396365\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AOLCC] "C:\PROGRA~1\AOLCOM~1\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120105028330
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Again, thanks for ALL your help.

Roseann


----------



## sammysosa (Nov 25, 2005)

You've made this too easy by half; you think logically, you learn quickly, you pay attention to detail, and best of all, you're patient and willing to learn more than you already know. Are you SURE you need help with this stuff? I'm beginning to get the feeling that we ought to be asking YOU for advice...

Anyway, that latest HJT log from the laptop is clean, so I'll start typing instructions on how to eliminate the junkware on all three systems, starting with the information provided in the last HJT log from the Win98 system. I'll post those instructions for you later tonight (or early tomorrow), and after you've taken the steps to block the crud from running at startup, I'll need to see ANOTHER HJT log, to make sure it doesn't come back after you reboot the system.

Though it might seem obvious by now, I've enjoyed working through these issues with you (minor though they may be, as it turned out), and being able to track your progress as your knowledge and skills have increased in just the last few days has been a blast... though this doesn't apply to many people, it's obvious to me that you enjoy learning, and that the more you know, the more you want to know...

For now, I hope you'll take the rest of the night off, and pat yourself on the back for doing such an incredible job providing your own tech support. If everyone else wrote as well as you do, and applied logic to finding solutions, online forums like this one would be virtually useless, and I think some of the long-term members who post advice here wouldn't know what to do with themselves...


----------



## tjcrm (Dec 5, 2005)

Thank you for saying that. A student is only as good as his teacher.

You have made it real easy for me to understand by giving wonderful details and links for me to follow. I'll admit I was a little nervous in the first few posts. It was clear you understood my problems from the beginning. Once I put my trust in you that you could fix whatever problem was plaguing my machines, I started to relax.

How is your uncle doing today? I think about him constantly. I hope he is resting comfortably and is getting better everyday.

Roseann


----------



## sammysosa (Nov 25, 2005)

Sorry about the delay in posting this; I'm staying busy, if that counts for anything...

Starting with the Win98 system:

Click on Start > Run; type "msconfig" (no quotes) into the box, and the MS System Configuration Utility will open.

Find the Startup tab (on the far right, just below the Menu bar, which is directly below the Title bar), and click on it.

You'll see a list of everything loading when Windows boots; try not to be shocked by the length of the list. Only the apps with checkmarks in the little boxes actually load at startup, but you'll probably notice several more in the list.

You NEED the following files to run at Startup:


SystemTray

Zone Labs Client

TrueVector

AVG7_EMC

AVG7_CC

AVG7_AMSVR

ICSDCLT


This one is good to have; it runs Scandisk automatically in case Windows crashes or isn't shut down properly:

ScanRegistry


These files are harmless; you'll probably notice more than one entry for it:

LoadPowerProfile


We'll leave the AOL stuff alone, since I don't know what you truly need there, and what is optional.


Stuff you don't need:

You can safely disable any of these that are checked, so please UNcheck the boxes for the following entries (if they still exist, and still have checkmarks inside them):

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

StillImageMonitor

ViewMgr

If you EVER need any of those programs, such as the Still Image Monitor (stimon.exe file), it will load when you use your scanner. You NEVER need the OSA9.exe file running; it preloads parts of Office into system RAM at bootup, so the Office apps will load somewhat faster IF you ever need to use it. The reason for this is so you (hopefully) won't notice how bloated the Office suite really is; hogging memory on a Win9.x / DOS-based system is NEVER a good idea, so if the Office Startup Assistant ever shows up in the MSCONFIG Startup tab again, feel free to kill it.

To be honest, I usually rename the file to OSA9.ZZZ, so it won't ever be found and loaded. It is truly worthless, and no one needs it.

If you find other files that you're curious about, feel free to post the names here, and I will advise you on which ones you can uncheck.

You should also run HJT again (on the Win98 system) after you make these changes, just so I can go through it one more time.

Soon as I can, I'll post on what changes you can make to the WinXP desktop system, and we'll leave the laptop for last.

Hope all is well there; let me know if anything I've posted here isn't clear.

Sam


----------



## tjcrm (Dec 5, 2005)

I have been in msconfig before. About a week before I upgraded to the higher speed fiber optics broadband the computer was REAL slow at startup, so I went in and turned almost everything off.

There are some programs that I have unchecked and the next time I go into msconfig I notice they are checked again: Microsoft Office is one of them the other one is Quicktime. I think I will look for the Office file and rename it too. Can I do that for Quicktime also?

I also know that there are more entries in here than I would like or need. I have the remnants of an old virus: rate.exe C:\WINDOWS\SYSTEM\i1ru74n4.exe unchecked.

There are also two entries for load= WPSLOAD.EXE should I keep one of the entries checked? I have kept one checked for now.

What about the entry: SSDPSRV C:\windows\SYSTEM\ssdpsrv.exe? I guess I dont really need this one, whatever it is, cause I unchecked it and the computer started just fine without it.

There are a lot more entries, but I have not had them checked for a LONG time.

Here is the HJT log from the win98 computer:

Logfile of HijackThis v1.99.1
Scan saved at 4:40:55 PM, on 12/12/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
D:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA36FBC4-A99E-11D2-95D8-00C04F72DFAB} (Slider Class) - http://homeadvisor.msn.com/ie/bin/finders.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarnival.com/Jambalib.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/yws0_x.cab
O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/composer/1.5.0.223/SLCmpser.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

As always, thanks for taking the time to look this over.

Roseann


----------



## sammysosa (Nov 25, 2005)

Your Win98 HJT log is clean, but you've raised an excellent point about MSCONFIG, and that leads us to the next step in all of this, as I'll explain.

There are different ways to deal with those annoying programs that load at startup (most for no good reason); I prefer to use a freeware program which is known as Startup Control Panel (donations are accepted by the author of the program, and no, I have no affiliation with him or his program). You can learn more on this page:

http://www.mlin.net/StartupCPL.shtml

SCP is a GREAT little program which will give you COMPLETE control over the entries you see listed in the Startup tab of MSCONFIG.

You can download it from this link:

http://www.mlin.net/files/StartupCPL.zip

When you install it, SCP puts a little computer icon in your Control Panel (named "Startup", as you've probably already guessed).

Just download and install it; then open the Control Panel, find the applet marked "Startup", and double-click it. When SCP opens, you will see several tabs with weird names, such as HKLM / Run. Don't let that bother you; just click on each tab in turn to see what it will allow you to control (don't lose track of which ones you've already checked, or you'll be duplicating your work). You'll see a display similar to what you've seen in MSCONFIG; little check-boxes you can UNcheck to control the behavior of those pesky startup parasites, but that isn't ALL you can do with SCP.

Better yet, by using SCP, you can DELETE the entries you don't want, such as the one referring to the remnant of the virus infection. Check the screenshots in the first link; you'll only have to right-click on any entry to see the option menu, then make your choice on how to proceed. SCP even allows you to modify the path for entries; though you can delete any entry, you can also modify it to bring it under control, if you decide for some reason to keep it on your system.

For example, QTTASK.EXE is annoying, but the way to control it (instead of simply deleting it) is to find the listing for it (QTTASK.EXE), then right-click the name. Next, choose the EDIT option; you'll see that QTTASK.EXE is (probably) listed as being installed in the C:\Windows\System folder, and that it is followed by the modifier "-atboottime". If you wanted to keep QTTASK from loading at bootup but DIDN'T want to delete it, you would simply use the EDIT feature to delete the modifier. IOW, erase "-atboottime" from the path, so all that remains is the path WITHOUT the modifier; C:\Windows\System, followed by nothing. Without the modifier in the path, QTTASK.EXE will not be able to load at bootup, though it would still be available on your system if you ever decided you needed it (not much chance of that, but to each his own). If nothing else, you can use QTTASK.EXE to learn how to modify the path, in case you encounter a similar problem in the future.

A little thought and practice will quickly make you an expert on using SCP, and I have no doubt that you'll install it on all of your systems, once you've seen what it can do to make your life easier.

I hope you understand why I've tried to give you segments of information about this entire process as we went along, instead of smothering you with multiple suggestions on what to do to solve your problems. The idea was to build your skills in a logical progression, which I think we've accomplished. I didn't want to bombard you with information overload (you ARE managing THREE systems at once!); instead, I wanted to give you time to think, research, and learn during this repair. Rather than bury you under information and instructions, I've tried to make it possible for you to "connect-the-dots" as we went along. I think limiting your tasks this way better allows you to see the effects your actions have, instead of overwhelming you by suggesting that you make seventy-three changes to each system in one post. The result of using that method would most likely have made you decide to pay someone to do the work for you (or simply decide the issues weren't worth the time it would take to deal with them), and you probably wouldn't have learned much at all.

You've come a long way in a short amount of time; you now know how to use the available tools you need to keep things under control on those systems. You already had the basics covered with the standard (mostly passive) methods; running an AV program is fairly simple, and updating it isn't complicated once you've done it a few times. You had the firewalls and malware tools installed, and I imagine you keep those updated without a problem. The fact is, downloading and installing software isn't too difficult, but understanding what to do NEXT can be quite a struggle. You've now learned more than most people about solving many types of common computer usability problems, and once you've used SCP a few times, you'll be better prepared to deal with the most common issues that people tend to encounter with usability.

As you've seen, running a firewall and AV program are only the first steps. Beyond that, you'd protected your systems well, but still had pre-existing problems to correct, and by taking one step at a time, by being logical and analytical about the issues you've discovered, you've made a great deal of progress since your first post.

I'm going to ask you to install SCP on the Win98 system, then use it to deal with the junk shown in the MSCONFIG Startup tab, and post another HJT log from the Win98 rig. I'll check it, and when you're happy with the results, you can do the same thing with SCP and HJT on each of the other systems. After that, we can run a Registry cleaner on the Win98 system; once you're familiar with using it, we'll finish this repair by using it to clean the other systems.

You've increased your protection level (on each system) with SpywareBlaster; you've got HJT, Spybot, and Ad-Aware installed, you've got AV and software firewalls, and your systems are behind a router. Building your skills this way might have seemed bizarre, but I think now you can see the method behind the madness. You've corrected the LSP problem, you now know how to control programs that load at startup, you've learned the benefits of using programs like HJT to look for hidden problems... quite an impressive list of accomplishments for a self-described beginner, isn't it?

Now, if I could only convince you to switch browsers...


----------



## tjcrm (Dec 5, 2005)

I downloaded Startup Control Panel and having been exploring it.

I moved the remnant of the rate.exe virus, the newdotnet , b3dupdate and the weatherbug to the delete tab of SCP. But when I went into the msconfig they were still there. Are they supposed to still be there? I was reluctant to remove some of the other strings because I first had to enable them in msconfig and then SCP could see them so I could remove them. Likewise when I edited the string for QTTASK and removed the -atboottime it only showed in SCP not in msconfig. Once I unchecked QTASK in the SCP it was no longer visible. I rebooted several times while "playing around" with these settings -- still showed in msconfig.

I also downloaded SCP on the XP and the laptop. They had more startup items I just didn't get around to disabling so it was more fun to use SCP on those machines.

Here is the latest HJT log for the Win98:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:21 PM, on 12/14/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 3.0\AOLTB.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 3.0\AOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 3.0\AOLTB.DLL
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 3.0\AOLTB.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {FA36FBC4-A99E-11D2-95D8-00C04F72DFAB} (Slider Class) - http://homeadvisor.msn.com/ie/bin/finders.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - https://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.kidscarnival.com/Jambalib.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/yws0_x.cab
O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/composer/1.5.0.223/SLCmpser.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?306
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://67.89.107.171/activex/AxisCamControl.ocx
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab

Thanks again. You are a life saver!!

P.S.: I forgot to say that I ran this HJT log while in safe mode. I'm sure you could tell right away. It took me a while, but I can see the difference in the logs: the running processes list is shorter and it is missing the 04 HKLM files.


----------



## sammysosa (Nov 25, 2005)

Thanks for the edit: I DID notice the missing 04 processes, and realized that you had to be working in Safe Mode. I had some questions about that for you, but I've deleted them, since there is no obvious reason for me to be concerned now.

Anyway, you wrote:

"... I moved the remnant of the rate.exe virus, the newdotnet , b3dupdate and the weatherbug to the delete tab of SCP. But when I went into the msconfig they were still there. ... I rebooted several times while "playing around" with these settings -- still showed in msconfig."

Judging from those first remarks:

"I moved the remnant of the rate.exe virus, the newdotnet , b3dupdate and the weatherbug to the delete tab of SCP. But when I went into the msconfig they were still there."

I understand your concerns about this, and I appreciate the opportunity to explain this behavior, which seems odd at first glance, though SCP is actually working exactly the way it is intended to work. Our expectations when we DELETE something means it isn't there any more, but SCP works differently, mainly to protect the unaware and overzealous users (like ME) from unknowingly damaging their systems, which I'll explain.

The key factor here is that, by using the "Send To" option, you MOVED those items to the Delete tab in SCP. That means that you did NOT actually DELETE them; you've only MOVED them to a holding area within SCP (think of the Delete tab feature as "SCP JAIL"). Moving them there was the right choice for now, since you are still learning how to use SCP. The fact is (as you've discovered), those items have NOT been deleted; in order to actually DELETE them, you would have to right-click each one WHILE IT IS IN SCP JAIL, and choose the DELETE option; SCP will then ask you to confirm that you want to PERMANENTLY delete the highlighted item(s).

The reason for this is simple; if you send an app to SCP JAIL, then later discover you NEED it to run at bootup, you can open SCP, open the jail, and send the app listing back to one of the other tabs. Unfortunately, SCP does NOT track the point of origin for anything you move, so if you want to put it back where it was originally located, you'd have to make notes (or take screenshots and save them to the harddrive, which is what I do).

You can test all of this yourself, and learn something new in the process. Open SCP and click on the Startup (user) tab (just for an example; you could actually choose any tab EXCEPT the Delete tab to do this).

Don't worry; we'll create a listing for a non-existent program, so you won't risk problems with any actual programs on your system.

Right-click in a blank area within the chosen tab, and you'll be given the option to create a NEW listing. You'll be asked to provide a name for the new entry; call it "BADCLOWN" (no quotes). Type the path to the new listing as "C:\Village\Idiot\BadClown.exe" (again, no quotes). Click on the OK button, and look at the new listing inside the tab; you'll see the program listed as BADCLOWN, and the path to it shown as C:\Village\Idiot\BadClown.exe, which is the information you provided. SCP will create the listing with a checkmark inside the checkbox to make the program active (it wouldn't make much sense if it DIDN'T activate the listing that you created specifically to run at Startup, would it?); you can leave the box checked, or remove it, whichever you prefer.

Again, since the BADCLOWN app doesn't exist, it CAN'T actually run when you reboot the system.

Now, right-click the entry for BADCLOWN, and choose the "Delete" option; the entire entry is immediately moved to the Delete tab (the SCP JAIL) while you decide what to do with it. If you decide you actually NEED the BADCLOWN program to run as a service (loading in the background whenever the system is booted), you can right-click it and use the Send To option to move it back to the Services tab, or anywhere else you decide to install it.

Of course, you might choose to move it to the HKCU / Run (Hive Key Current User / Run) section of the Registry, and it will load at startup ONLY when the current user logs on again (that applies only if your Win98 system is set up for different users, the way WinXP works by default).

OR, you could move it to the HKLM / Run tab (Hive Key Local Machine / Run) portion of the Registry, which means it would load each time the system is rebooted, regardless of which user logged on, or even if NO user logged on. IOW, under the HKLM / Run tab, BadClown.exe would run at startup whenever the system was booted, which is similar to having it run as a service, though Services are more familiar to WinNT/2k/XP users, rather that something Win9.x users would be likely to encounter.

Obviously, you also have the option of leaving BADCLOWN in jail, or you can REALLY delete it by right-clicking it and using that option.

Now, I'd like you to think about something; I'm NOT going to tell you the answers, so you can learn this on your own if you're curious. What do you think would happen if you DIDN'T remember to move the BADCLOWN listing to the SCP jail? If it was still listed to run at Startup when you rebooted the system, do you think it would cause a problem? Remember, the BadClown program doesn't actually exist; we made a mock entry to it, but there is no such app, and no \Village\Idiot directory on your C: drive. Therefore, it CAN'T run when Windows is booted; would that cause a problem?

Would you see an error message? Would Windows stop loading, or crash, just because a program listed to run at startup was missing (or somehow damaged)? 

Again, I won't tell you the answers to those questions; if you really want to know, then use the "Send To" feature in SCP to move BADCLOWN back to the Startup tab, close SCP, and reboot your system.

OK, I understand that you'll apply some logic to this and realize that I wouldn't suggest doing this if it would cause any serious problems for you, but doing this will make you more familiar with what COULD happen to Windows, and you'll have a better idea on how to deal with it if you see something similar happen in the future.

Make no mistake; we've gone WAY past the "beginner" stages of repairing Windows LONG before we got to this point. Our focus has been on solving your networking problems (which you did without any helpful input from me), then improving your system security settings (mainly by installing and updating SpywareBlaster), and lastly by correcting pre-existing problems that you were able to uncover with the help of HJT and other tools at your disposal. We haven't tried to repair Windows itself (thankfully, your systems aren't "broken" right now); instead, we've focused on improving system reliability and usability issues. This isn't the TIP of the Windows iceberg; we've actually gotten into some of the real nuts-'n-bolts settings that most people don't know anything about, and I'm impressed that you took the time to experiment with SCP to improve your understanding of the control it gives you over those pesky / mostly useless apps that are preset to load at startup. 

Lastly, if anything I wrote about using SCP was unclear, then think of it this way; you sent those apps to the SCP JAIL while you consider their ultimate fate. They are there to remind you that you should eventually make a decision on whether or not to delete them PERMANENTLY, or keep them handy (but out of the way) in case you ever find a need for them. Of course, you could also choose to right-click them from within the (Delete tab) jail, and send them to that great digital coffin in the ether, but you can also keep them as a reminder of how to use SCP, or delete them and keep BADCLOWN as a truly harmless example.

Now, I hope you'll open SCP again, and try the BADCLOWN example. Once you understand that, you'll be able to use SCP to eliminate those scraps and remnants, and you'll be better prepared to work with it on your other systems.

You might want to take some "BEFORE" screenshots of the different tabs within SCP as you work, which can help you undo any inadvertent changes you might make. I realize that taking screenshots will complicate the learning process somewhat, but you WON'T have to rely on your shortterm memory as you work, and that can make life with Windows easier in the long run.

Well, got to wrap this up; hope this helps clarify using SCP. Post any questions, and we'll deal with WPSLOAD.EXE (which is used by Canon BubbleJet printers) and other items the next time I post here, which should be within the next twelve hours.

Keep punching, Roseann; you're making steady progress, and there's a lot to be said for that.

PS - Forgive any typos; I can't get the spell-check feature to work since the changeover to the new format.

Sam


----------



## tjcrm (Dec 5, 2005)

sammysosa said:


> Would you see an error message? Would Windows stop loading, or crash, just because a program listed to run at startup was missing (or somehow damaged)?
> 
> You might want to take some "BEFORE" screenshots of the different tabs within SCP as you work, which can help you undo any inadvertent changes you might make. I realize that taking screenshots will complicate the learning process somewhat, but you WON'T have to rely on your shortterm memory as you work, and that can make life with Windows easier in the long run.


Okay, I have had time to try this exercise. I thought I was going to see an error message while the computer was starting up (black screen, white writing). I was wrong. It came up with a missing shortcut box after my desktop loaded. That would remind me to go in and "fix" that problem. I will keep the BadClown example. It was very helpful. The way you explain everything makes it so easy for me to understand.

I have a question about how to take "screenshots". That would be very helpful for me -- I have no short term memory. I have to write everything down.

I did delete the rate.exe virus from the "deleted" section. I figured that one was safe to try out. I rebooted and it is still in the msconfig. I was hoping I was going to "clean out" some of those extra entries from the msconfig.

Thanks for taking the time to teach me.

Roseann


----------



## sammysosa (Nov 25, 2005)

You're managing this quite well, and I do hope you won't mind this detour into learning how to make some simple screenshots...

Taking a basic screenshot is one of the easiest things you can do in Windows. Everything you need to accomplish that is most likely already installed on your system.

Basic screenshots using only Windows components require the use of the "Print Screen" key on your keyboard (look to the RIGHT of the F12 key in the top row), the Windows Clipboard, and MSPaint, or whatever they call it these days.

In case you don't know, the Clipboard is simply space set aside in your RAM for ANYTHING you happen to copy. If you highlight and copy the very next line, it will be stored on the Clipboard until you do one of the following steps:

1. You copy something else; Clipboard only keeps what was last copied; anything that had been on the Clipboard is deleted.

2. You open the Clipboard Viewer and intentionally delete whatever you see there; the Clipboard Viewer program can show you almost anything that you can copy to the Clipboard itself; you'll usually find it at Start > Programs > Accessories > System Tools > Clipboard Viewer. You can also open the Viewer by using Start > Run, and typing "CLIPBRD" into the box, then pressing the "OK" button. Since the Clipbrd.exe program is normally found in the Windows folder, Windows can find it right away; you don't need to type the complete path to it. In case you're curious, the complete path would be:

C:\Windows\Clipbrd.exe

but again, Windows looks inside the Windows folder by default, so you don't need to provide the path.

3. You shutdown or reboot Windows; since the Clipboard consists of space in the RAM, a shutdown or reboot erases just about everything stored in the RAM, and that kills the Clipboard.

Just so you understand this, the Clipboard is automatically created by Windows during bootup. As I've mentioned, it is there to provide a holding space for anything you happen to copy (or happen to cut, which both copies whatever you've highlighted, and then removes it from the document, text file, or image you're working with, to name just three examples).

The Clipboard Viewer is the program that shows you what is stored on the Clipboard. Of course, "stored" is a relative term; anything you copy is actually only temporarily "HELD" on the Clipboard until it is replaced by something else (which I explained in Step 1), or until something else happens to it (as I explained in Steps 2 and 3).

Anyway, there are two basic techniques you need to learn; one is to take a shot of the ENTIRE screen, which is everything you see on the monitor, including the Taskbar and the System Tray (where the clock is located). The other technique you need to know how to perform is to take a shot only of the ACTIVE window, the one with the highlighted Title Bar, which is also referred to as the window with the "focus"; that makes sense to me, because the ACTIVE window is the one you're currently "focused" on, which is another way of saying "the window you're currently working in" is the active window.

We'll begin with the instructions on how to take a screenshot of the entire screen. You'll need to capture the image (which will copy it onto the Clipboard automatically), then paste it into Paint, then give it a name, so you can save it and find it when you need it.

Keep in mind that even though you've pasted the image into Paint (in order to name it and save it to the harddrive, it is STILL being held on the Clipboard. That information tells you that you could make MULTIPLE copies if you needed them, without having to take another screenshot. As I've mentioned, anything you copy (or cut) is held on the Clipboard until it is replaced by the next item you copy, or you intentionally (or UNintentionally) clear the Clipboard, or the system is shutdown or rebooted.

First, find the "Print Screen" key on the keyboard; again, look to the RIGHT of the F12 key in the top row, and you should see it. It is sometimes abbreviated as "Prnt Scrn" or something similar. It is usually a dual function key, sharing duty as the "System Request" key (abbreviated as "SysReq" or something similar), which I've never found a use for. The key functions as the Print Screen key by default, so pressing it makes Windows copy a Print of the Screen (get it?) to the Clipboard. Even though you can't see it happen, once you press the Print Screen key, the image you see on the monitor is captured (copied) onto the Clipboard (which means that it is copied into the section of RAM set aside for that purpose), and you can then paste it into an application such as Paint, which works with simple image files.

Making a copy of text isn't the same thing as using the Print Screen feature; copied text is ONLY the text, while using Print Screen is similar to taking a photo of the entire screen, text and all.

Press the Print Screen key, then follow these steps:

1. Open the Paint program, which is usually found under Start > Programs > Accessories.

2. In Paint, click on Edit > Paste (look at the Nenu Bar for "Edit", then click on it, then click on Paste. If Paint asks you if you would like to "enlarge the bitmap", click on the "YES button; that will enlarge the area where Paint will paste the image, so that the entire image will fit onto the bitmap; just for fun, answer "NO" the first time you do this, and see the result.

3. Now click on File > Save As, then browse to the folder where you want to save the new image file (in this case, a screenshot you're creating in Paint), and finally,

4. Give it a name you will remember, then click on the "OK" button.

Paint will save the file (usually as a rather LARGE file, known as a "bitmap", using the .BMP extension), and you'll be able to view it whenever you want to refer to it. Be aware that bitmaps are not compressed in any way (unlike .JPG and .PNG image files, among others), so they tend to take up a lot of room, relatively speaking. One exception to this is when Office 2000 is installed on a (non-XP) system; it installs "filters" so Paint can actually then work with more graphics files, such as .JPGs and .GIFs. On systems with WinXP, I believe the graphics filters are preinstalled...

You can read this article from the MS Knowledge Base for more details:

http://support.microsoft.com/kb/Q298580

Now, let's move on to taking screenshots of the active window. The ONLY real difference between taking a screenshot of the ENTIRE screen, and taking one of just the ACTIVE window, is to hold down the ALT key while you press the Print Screen key.

Try that: Hold down either of the ALT keys on the keyboard (doesn't matter which one you use), then, while STILL pressing the ALT key, press the Print Screen key. Once you've released the Print Screen key, you can release the ALT key as well. Then, follow the steps to paste the image into Paint, and see the difference for yourself.

Of course, you can ALSO view the contents of the Clipboard simply by opening the Clipboard Viewer, but that won't SAVE a copy of the image for you the way that using Paint will.

I could expound on this (and will, soon as I can find the time), but for now, you know enough to start making basic screenshots, and I'm on the verge of collapse. Try these methods, and let me know if anything I've presented here isn't clear.


----------



## tjcrm (Dec 5, 2005)

Ahhh. I always use copy and paste and put the information into a word document. I never realized that if you hit print screen you needed to open it with a program. 

While I was trying out your example my 17 year old son wondered by. He said "You didn't know that?!!!" Leave it a kid to know these things. He's always uses Paint and apparently knows how to use print screen too. I think he wanted to get me off the XP computer so he was rushing me. 

I'm glad that you took the time to explain it to me and NOT him. 

I often wondered why when I closed a word document after I did some cutting and pasting the program asked if I wanted it to remember the large amount of data I stored in the clipboard. I never knew that I could actually "view" the clipboard. I liked the "run - clipbrd" feature a lot.

My HP printer has something similar where you can click on the program and take a screen shot, but I don't have that software on all the computers. I like the ease of the print screen button. 

Okay he's back to bother me again. I guess my time is up on this computer.


----------



## tjcrm (Dec 5, 2005)

It's been a little crazy/busy around here lately.

Daughter came home from college and then announced that her computer has not been working correctly. She is complaining that the computer is running slow in general and locks up frequently.

She is running WinXP. She has a 10GB harddrive and an 80GB external drive. I defraged her 10GB internal drive. (It wasn't to fragmented.) She already has Spybot, Ad-Aware and Nortons AntiVirus. I downloaded HJThis, Spywareblaster, Ccleaner and Startup Control Panel.

I notice she does not have a firewall. She tells me she cannot have one at school. She doesn't want me to put one on her laptop.

I am posting a copy of her HJThis log below:

Logfile of HijackThis v1.99.1
Scan saved at 6:48:57 PM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thank you for taking the time to look over yet another of my logs.

Roseann


----------



## sammysosa (Nov 25, 2005)

The holidays are upon us once again; we're ALL busy going crazy (or something like that)...

One thing jumped out at me, and it isn't good:

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

ALL of the 016 entries in an HJT log are ActiveX controls, which ONLY Microsoft Internet Explorer and other browsers built on it (the AOL browser, for example) are vulnerable to. If your daughter is not allowed to install a firewall at school(!), then the ONLY way to keep her system from being BOMBARDED with crap like this (that ActiveX control installs an "Adult Content Dialer", which your daughter almost UNDOUBTEDLY got simply by connecting to the school network without a firewall) is to change browsers. She wouldn't have to do ANYTHING to get such a malicious ActiveX control loaded onto her system; simply connecting to the network without a firewall and opening Internet Explorer (or the AOL browser) would do the trick.

I checked the SpywareBlaster database (which is built into the program) and this is what it has to say about this type of ActiveX control:

"Premium-rate dialer, most likely for adult-rated material. If installed, it could dial to an overseas toll number without you knowing and cause large charges on your phone bill."

The dialers work SILENTLY; they disable the modem speaker as they work, so you don't hear the usual dialing and connecting noises from the modem. Once you're connected to the 'net through a dial-up modem, they keep the line open (so you never realize your connection has been disrupted) and dial into a different number, where per-minute connection charges can skyrocket. If she'd been using a dial-up connection, instead of the school network...

If your daughter still NEEDS to use AOL, she can help protect herself by logging on through the AOL browser, then IMMEDIATELY minimizing the AOL window, and opening another browser which is immune to ActiveX controls, such as Firefox, the Mozilla Suite (which I prefer), or Opera.

ONCE HER SYSTEM IS CLEAN, you should hook up her computer to the 'net, then let PCPitstop test her system (use Internet Explorer when you do this test). PCPitstop will recommend several changes to her browser settings; make those changes, then reboot the system, and test it again. Keep testing it until you get a clean bill of health. If PCPitstop shows any RED or YELLOW flags, click on the flag, and a page will open with instructions on what changes to make.

http://www.pcpitstop.com

You might recall that I mentioned changing your browser; IE is NOT safe and NEVER will be. MS has no intention of dumping the use of ActiveX controls because too many of their "partners" (partners in crime, maybe?) rely on the use of ActiveX controls to give them power over YOUR system. That is one reason why you can't close your session with AOL until they "allow" you to; the ActiveX controls they use allow them to read all of the cookies on your harddrive (that isn't the ONLY thing they use ActiveX for), so they know which websites you've visited, and what types of ads you've seen. That allows them to show you similar ads; if you were looking at a website that sells antique doorknobs, there is a good chance you'd see ads for companies selling them the very next time you logged on.

There are others who will tell you that IE is NOT the problem; the TRUTH is, ActiveX is a vector (an entry-point) for all kinds of trash, and the ONLY people having these problems are the ones who insist that IE is a good or safe browser. Of course, they have to run seventeen apps to PROTECT their systems, and a dozen more to CLEAN them, and ten OTHERS to UNDO the damage they incur as a SELF-INFLICTED wound; if they simply switched to a browser IMMUNE to ActiveX controls, those days would be OVER.

Of course, we STILL need a firewall and an AV program, because there are a lot of things (trojans, worms, other malware) we can be attacked by that aren't based on ActiveX, but eliminating problems from ActiveX controls is as simple as changing to a BETTER, SAFER browser. Even my mother, who is 79 years old, and uses AOL, has made the switch; once she logs on to AOL, she minimizes the AOL browser and opens Firefox. Now, if I could only convince her to dump AOL...

You know the drill by now; close open programs, run HJT with FIX CHECKED for that 016 entry:

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

then reboot the system.

NEXT, you need to restart the system in "Safe Mode", which means pressing the F8 key during the reboot to bring up the WinXP Startup Menu. Once the system boots into Safe Mode, you'll need to show all hidden files and folders, so do this:

1. Open My Computer.

2. Select the Tools menu, and click on the Folder Options setting.

3. Select the View tab; in the Advanced settings box, under the "Hidden files" folder, select "Show hidden files and folders".

4. Remove the check mark from "Hide protected operating system files (Recommended)" box, click Apply, and then click OK.

Then, you'll have to open Windows Explorer and find this file:

C:\counter.cab

Obviously, that file is in the root of the C: drive, so at least you don't have to drill down through a dozen sub-folders to find it.

Once you've deleted that counter.cab file, reboot the system normally, run HJT again, and post the new log here. I'll check it to be sure nothing else pops up.

Lastly, since she can't install a firewall (which is INSANE; I'd call the school and raise HELL about that policy!, or find out which joker told her she couldn't use a firewall and punch him in the mouth), you can expect to be doing this frequently (I hope school isn't far away). OR, she can install Firefox, and not have to deal with ActiveX controls mangling her system again. She's lucky this one only slowed her system down; this could have been MUCH worse...

http://www.mozilla.com/

Don't forget to post the new log when you get the chance...

Merry Christmas to you and yours, Roseann

Sam


----------



## tjcrm (Dec 5, 2005)

We first went into the HJThis log and fixed the counter.cab problem. Rebooted. Had a hard time starting up in safe mode so we went into msconfig and did it from there. But when we went into windows explorer we could not find the file c:\counter.cab. We ran a search and it did not show up. (Hopefully it is deleted.)

She is running the Windows Firewall, but no others.

We ran PCPitstop and there were three yellow flags. We took care of two (startup files and internet explorer disk space for temporary internet files). The third flag is that she only has 128MB RAM.

The GOOD News is we are both thinking about switching to Mozilla. She is ready and I need to do more reading on how to actually do it before I can make the leap.

Here is the latest log for her laptop:

Logfile of HijackThis v1.99.1
Scan saved at 5:14:32 PM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

As always, thanks so much for your help.

Roseann


----------



## sammysosa (Nov 25, 2005)

Sorry to say, the entry is still there, though the file itself isn't showing. Please use HJT to fix it again, then reboot into Safe Mode and look for that counter.cab file, just to cover the bases. Then, reboot normally, run HJT again, and post the log here.

BTW, using Firefox is as simple as can be. Just download it, then start the installation; it will guide you every step of the way (there are only a few), and it will even automatically import all of your IE "favorites" as Bookmarks, so you won't need to wrestle with that yourself. It is not a resource hog, and when you close it, it is designed to unload itself from the memory, so it won't hold system resources any longer than needed.

Lastly, I'm glad you remembered that you can set MSCONFIG to reboot into Safe Mode; that is an option most people tend to overlook.

I'll watch for your next HJT log...


----------



## tjcrm (Dec 5, 2005)

Ahhh. This time everything worked as planned (I hope). I was even able to get the computer to boot into safe mode without msconfig. Daughter is still sleeping. I had to run HJThis a few times before it really got rid of that entry, but it is gone. The file never showed up in Windows Explorer.

I suspect if daughter has her way we will be downloading mozilla today. I would like to wait till after Christmas when I might have a few spare minutes. (LOL)

Next I will look into getting more memory for her laptop, it still takes forever to startup. She says it is a little quicker on line though.

Here is the latest HJThis log for her laptop:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:54 AM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

We will be leaving later today to visit with my sister-in-law in CT, so if I don't get on again for a few days ... I hope you have a Happy, Healthy Christmas and New Year. I hope your uncle is doing better too.

Roseann


----------



## tjcrm (Dec 5, 2005)

Okay, I am the impatient one. Even though I am supposed to be cooking, cleaning, wrapping and working ... I installed mozilla on the Win98 computer. It was a SNAP! I'll be able to do daughter's computer with her later.

Thank you for giving me the courage to make the move!!

Roseann


----------



## sammysosa (Nov 25, 2005)

Sorry about the delay in posting this; I've been fighting a migraine and looking after my uncle, neither of which qualify as much fun.

So, you've made the switch to Firefox? Glad to know you've accomplished that. Now, your system is eternally safe from ActiveX controls, unless you find a need to use the IE/AOL browsers again.

The last HJT log looks clean, but I would like you to look through the 04 listings. Those are the items that load at Startup, and I'm sure you can find a few to eliminate with MSCONFIG or the Startup Control Panel. I really can't imagine needing these apps to slow the bootup process and hog a lot of resources:

O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

Check that list, then check it twice if you prefer, then show no mercy to the bloatware!

Hope your trip to CT was enjoyable (did you run into my brother and his family during the visit?), and that Santa was especially nice to you and yours.

Happy New Year, Roseann; best wishes for you and your entire family.

Please post a new HJT once you've given those freeloaders a boot, and we'll know that your daughter's system is clean.


----------



## tjcrm (Dec 5, 2005)

Sorry to hear that you have not been feeling well. I hope that the New Year finds yourself and your uncle feeling better everyday.

Foxfire was really easy to install and I'm glad you gave me the push to use it. I am afraid to switch when things are working just fine as they are ... but I knew if I had a problem YOU would be able to help me.

I looked over the 04 entries and have used SCP to remove the stormcodec, the kernelfaultcheck, the HP software update and the ctfmon.exe. My daughter informed me that under NO circumstances could I remove her AIM or DEADAIM. She needs those at startup. (Heaven forbid, she might have to return phone calls to her friends if her AIM was not working!!)

Here is the log for Daughter's Laptop:

Logfile of HijackThis v1.99.1
Scan saved at 5:05:23 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /reboot{8338BA06-E527-491B-9400-F51708FEE695} /z
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPodService - Unknown owner - E:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

I always look in the "run once" tab of SPC and noticed there is a file. I located it on the harddrive and opened a notepad file (formatter_log) in the Intel32 folder. It looks like it might be something IPod related. I have not rebooted yet. Do you think it is safe?

What about the 08 extra content files in the HJThis log -- can we clean those out? Okay I should leave well enough alone.

We had a nice time in Danbury. It was colder and had more snow, but the company was good.

Hope Santa was good to you. Happy New Year, Sam. Looking forward to learning more from you in 2006!

Roseann


----------



## sammysosa (Nov 25, 2005)

Actually, I think you know how I feel about ANY extraneous software being loaded for no good reason, so I would like to help you deal with those 08 listings, but for right now...

Something new popped up:

O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /reboot{8338BA06-E527-491B-9400-F51708FEE695} /z

I don't know what it is related to, so I'll try to research it and get back to you with specific instructions on how to deal with it. My first impression is that it is the remnant of a software installation that might or might not have been successful, and most likely, it is related to one of the entries you disabled with SCP, but I won't know until I get the chance to poke it with a digital stick for a while.

In the meantime, I would like you to install and run Crap Cleaner on that system. You can download it here, in case you don't have it handy:

http://www.ccleaner.com

When you run it, please use the "ISSUES" option (on the left side); it will poke through the Registry to see what kind of trash is in there. You can remove whatever it finds, but DO choose to make a backup when CCleaner offers to do so. The backup file will begin with the letters "cc" (you can guess why), followed by a date-and-time stamp, followed by the .REG extension. By default, the backup file gets stored deep on the harddrive, but I suggest you create a new folder in Windows Explorer right off the root of the C: drive for your Crap Cleaner backup files; it makes them easier to find if you ever need to reinstall the entries CCleaner removes. I name the folder "CCBACKUP", and put it in the root, which means the path becomes:

C:\CCBackup

Trust me; Win2k does not have the System Restore feature, so being able to get to that folder quickly from the command prompt, rather than try to drill down through several levels to find it, makes life just that much easier.

Anyway, let me know what happens when you run CCleaner and reboot; if you have to do a System Restore, or use the "Last Known Good Configuration" setting to get back to the Desktop (not really likely, but you never know), just locate the CCleaner backup file, right-click it, and choose the option to "Merge" it. Everything will be placed back into the Registry as if nothing ever happened, and we'll know that CCleaner was a little too aggressive. Odds are against anything going wrong, but if it does, you now know just how easy it is to fix it.

Most of the Registry problems I've encountered have been self-inflicted, so don't worry about using CCleaner; I've NEVER had a problem when using it. My Registry problems have occurred from being overzealous when I MANUALLY edited the Registry (a good reason to switch to CCleaner), so give it a shot.

Once we get this item nailed down, we'll move on to the 08 entries; I realize that you'll probably have to finish this system soon (so your daughter can take it back to school), so I suggest that we focus on this computer exclusively until we get it dialed in. If the deadline is REALLY tight, please let me know right away, and I'll watch this thread even more closely.

Keep me posted on your progress, and let me know if you have any questions...


----------



## sammysosa (Nov 25, 2005)

Just remembered that I'm supposed to attend a memorial service; I'll check for your reply when I get back online later tonight.


----------



## tjcrm (Dec 5, 2005)

"Something new popped up:

O4 - HKLM\..\RunOnce: [InstallShieldSetup] C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /reboot{8338BA06-E527-491B-9400-F51708FEE695} /z"

I think this refers to the insta-shield for her iPod software.

I ran the Issues option of CCleaner. Thankfully I did not have a problem when I rebooted. I DO appreciate you giving me directions INCASE I needed to merge back in the registry entries. I took your advice and made a c:CCBackup folder.

I couldn't help myself though ... I checked in SCP when the computer rebooted and noticed that the ctfmon.exe file had comeback. I had one copy unchecked and another with a checkmark. I deleted the checked one. If I move the unchecked one to the deleted tab will it keep coming back on reboot? Should I edit it (ctfmon.zzz)? Will it still keep coming back?

Daughter goes back to school around the 20th of January. We have a little bit of time. I also took a book out of the library so that I can add more RAM to her laptop. It looks simple enough (maybe). I have added more memory to my desktops before ... but never a laptop. I'll let you know how that goes.

Here is the latest HJThis for Daughter's Laptop:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:49 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks for ALL your help.


----------



## sammysosa (Nov 25, 2005)

The dialer remnant is back:

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -

You'll have to run HJT again to fix that; again, be SURE that you have ALL of the hidden files shown, then reboot into Safe Mode AFTER running HJT with the "FIX CHECKED" option. Then, use the Windows Search tool to look for the "counter.cab" file again; though it wasn't listed by HJT, we might as well make every effort to be thorough about this.

I realize you've had some problems booting into Safe Mode during bootup, but that really is something you need to learn how to do, so I hope you'll give it another shot, rather than using MSCONFIG. Simply start pressing the F8 key repeatedly during the POST; Microsoft could have provided a special hotkey combination to accomplish this (I hereby nominate ALT-INSERT-F7 for this purpose), but the F8 key has been used as an alternate boot key for a LONG time now, so I guess they didn't want people to have to learn something new. If NOTHING you do will allow you to boot into Safe Mode during the POST process, boot to the Desktop, run MSCONFIG, and reboot into Safe Mode that way.

BEFORE you run HJT to remove that 016 entry, I'm going to ask you to disable System Restore (which will delete all of the previous restore points, and Windows will pretend that disabling System Restore will cause the end of civilization as we know it. Of course, you should feel free to ignore those dire warnings, and disable System Restore for the time being. Once you've rebooted into Safe Mode and searched for the "counter.cab" file (just-in-case), you'll reboot normally; when you get back to the Desktop, you can then reenable System Restore, which will automatically create a new restore point for you.

The following link (to another MS KB article) has information on how to turn the System Restore "feature" ON or OFF:

http://support.microsoft.com/kb/310405

Since I don't have ANY systems that use System Restore, I can't be positive about this, but I suspect that SR makes a backup copy of all the ActiveX controls, and that can bite you in the future. No matter how much you do to clean the system, if System Restore is ever used, it will reinstall the nasty little dialer program (among other things you're trying to eliminate), and we don't want that to happen.

FWIW, System Restore does NOT automatically create a new restore point on a NON-system drive (IOW, any harddrive you DON'T boot the system from, such as an external harddrive attached to the system); though that is probably a moot point with each of your systems, I wanted to clarify that point for anyone else who might read this thread looking for information about using System Restore.

There are several OTHER links in that article, all providing more information about working with System Restore; this is one you should bookmark, and read through when you have the time:

http://support.microsoft.com/kb/302796

Moving on now...

FWIW, I had INTENDED to include a link to a MS Knowledge Base article about how to remove CTFMON.EXE from the system, but pain and time constraints conspired against me; here's the link:

http://support.microsoft.com/kb/282599

There are very specific, well-detailed instructions provided there on how to eliminate CTFMON; you'll need to follow the steps for clearing it from WinXP systems. You should bookmark that page, and get familiar with the process, so you can eventually do the same thing for any other systems with CTFMON installed.

Well, I find myself on the verge of collapse, so I'll wrap this up soon, then try to sleep for a few hours. I appreciate knowing that we have a bit of a time-cushion for getting the laptop ready to go back to school, but I want to provide some links for you about how to install memory in a laptop. The laptop maker might have a tutorial / pictorial available that you can refer to, but these are a few I located through a quick Google search:

http://www.crucial.com/install/sodimm.asp

http://www.hardwaresecrets.com/printpage/189

http://support.gateway.com/s/Mobile/Gateway/M675/3501731faq65.shtml

http://www.directron.com/laptopdiy.html

http://compreviews.about.com/od/tutorials/ss/DIYNoteMem.htm

I think you'll find plenty of details within those links; as you'll see, installing laptop memory might require removing the keyboard, or simply removing a cover panel from the bottom of the system, though you'll be better off if you can locate a user's manual for your specific system. If you don't have one available, post the details about your laptop, and I should be able to locate more information for you on the 'net.

Lastly, I'll ask you to check these links:

http://www.pcworld.com/resource/printable/article/0,aid,122288,00.asp

http://www.pcworld.com/resource/printable/article/0,aid,123731,00.asp

http://www.pcworld.com/resource/printable/article/0,aid,123979,00.asp

Some good information provided there; I realize you must be incredibly busy, but simply skimming through the multitude of links I've posted in this reply could help you increase both your knowledge and level of comfort about what you want to accomplish tremendously, in a relatively short amount of time.

Happy New Year to all at the Roseann-erosa (OK, so maybe it ain't the Ponderosa, but you DO call it home...)


----------



## tjcrm (Dec 5, 2005)

I was very discouraged today. I followed your directions to the letter. I disabled system restore and ran HJThis, corrected the 016 entry. I rebooted in safe mode (no problem). I searched for "counter.cab" (I have show hidden files enabled). The file was not found. I rebooted in normal mode and re-enabled the system restore. Again the 016 entry appeared. I deleted again with HJThis and it stayed gone ... UNTIL I rebooted. Everytime I reboot, the file reappears.

I left the computer alone. Entertained my company. AS SOON AS the last person to leave was out the door I came back to the computer and repeated all the steps again. Still the same results. Everytime I reboot and run the HJThis log the file is there!

If that wasn't bad enough, I tried to remove the Ctfmon.exe following the directions on the microsoft website. Part way through, it was looking for the installation disk for the Microsoft Office Professional 2003. It needed the file SKU011.cab. Of course she does not have the installation disks. I tried to search for the file on the internet, but that was discouraging. It did not look like anyone had a fix for this problem ... most of the posters DID have the disks and it didn't help. So as soon as I hit cancel it "rolled back the installation". I also tried this whole procedure twice, once this morning and again tonight. No difference.

I read through most of the links you sent. One was very long and detailed and I am saving that for tomorrow when I can read it and try out some of the suggestions without any interuptions. It was the "tips for faster startups" page.

As far as the memory for the laptop goes: I had been lucky that I found the crucial.com website. It helped me to figure out what kind of memory is in the laptop. Apparently the laptop can only hold 256MB and it has ONE slot which already has 128MB installed. The only thing I have not been able to find it WHERE the memory is located. I'm hoping it is in the access panel on the bottom of the laptop and NOT under the keyboard. It is an older laptop: Compaq Presario 1200US. I have done internet searches but have come up empty on diagrams of where the memory is located.

I'm exhausted and I feel like I have not accomplished anything with the laptop today. I'm hoping this is not the way this whole year is going to be!

Happy New Year to you and yours!!

Last minute thought ... I will post the HJThis log anyway.

Logfile of HijackThis v1.99.1
Scan saved at 12:25:51 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks for all your help!


----------



## sammysosa (Nov 25, 2005)

Well, try not to get TOO discouraged; after all, you AGREED to play in MY sandbox for a while... 

Trust me on this; it can be a LOT worse (though I do try to keep those days to a minimum). You saw first-hand just how frustrating this type of work can be; I suspect the 016 entry in the HJT log is caused by an ActiveX control buried deep somewhere on the system, so we'll have no choice but to look for it, though we'll cover some other ground first.

For information about upgrading that Compaq laptop, I searched Google for these terms, which seemed to be the most important words I could think of (which is why they're known as "keywords"):

compaq presario 1200us manual download

The second link on the Google results page will be this one:

http://h10025.www1.hp.com/ewfrf/wc/...areCategory&lc=en&os=228&product=94936&cc=us&

That page will provide several links on the left side of the page; I opened most of them without finding specific information on how to upgrade the memory, and finally found this page:

http://h10025.www1.hp.com/ewfrf/wc/...y&lc=en&product=94936&os=228&cc=us&rule=1043#

That wasn't what I was looking for, so I clicked on the "Search" button at the bottom of the page, and entered the terms"

upgrade RAM

That took me to this page:

http://h10025.www1.hp.com/ewfrf/wc/...cname=c00035793&product=94936&dlc=en&lang=en#

Normally, I would have been happy enough with that link, but then I noticed the dark red "Printable Version" link, which gave me THIS page:

http://h10025.www1.hp.com/ewfrf/wc/...&lang=en&cc=us&printable=yes&encodeUrl=true&#

You might have noticed that the links to the Hardware Secrets website and those PCWorld articles in my last post all contained the word "print" or "printable"; the original links (which I didn't provide) were spread over several pages, while the "printable" versions were one page only, which makes reading them much easier. Consider that a hint for when you have the option of which version to choose when you're trying to learn something... or, when you really do need to print something. "Printable" pages tend to have less clutter and junk on them, so a word to the wise...

Seems as if HP / Compaq can't be bothered providing a DIRECT link to that last page (or, I simply couldn't find one), but I've spent a LOT of time on OEM websites over the years, and I knew I was licked... which is why I gave in and used the "Search" option. You'll notice that the "printable" page doesn't have that annoying left margin, which makes the entire page easier to read (to these eyes, if no others).

The GOOD news is, I think you'll be happy to see the photo showing where to access the memory...

FWIW, I use the Crucial website more than any other for information about which type of RAM I need for the various motherboards I install when building (or upgrading) a system. Though I also use the Kingston and Corsair websites, I simply prefer the Crucial RAM configurator to anything else I've found. You might have noticed that the very first laptop memory upgrade link in my previous post was to the Crucial website, which I now confess WASN'T an accident... 

Here's a link to a good basic tutorial on how to work with the Windows Registry. The FIRST rule in Registry modification is to MAKE A BACKUP of the ENTIRE Registry before you do ANYTHING else. So, use that tutorial to make a fresh backup copy of the Registry every day for a week or two, and pretty soon, it will be second nature. You can delete the oldest copies to save room on the HDD, but knowing how to backup the Registry is something you'll never regret learning:

http://h10025.www1.hp.com/ewfrf/wc/...os=228&product=94936&cc=us&docname=c00035759#

Someday, you might have to fix a problem in the Registry; making a complete backup FIRST means you're working with a safety net under the highwire, and it is so easy to do, there is no excuse for not doing it as a matter of routine practice. Develop the habit on ALL of those systems; the Windows Registry you save might be your own...

One thing you can do which MIGHT help get rid of that 016 entry is to run Disk Cleanup, and check the box to delete the Downloaded Program Files, which might be the source of the problem, since ActiveX controls are routinely downloaded there. I can't make any guarantees that this will work for you, since I block ALL ActiveX files from being downloaded to my systems, but it can't hurt to try.

Just follow the steps outlined on this webpage, under the heading of "Deleting temporary files and directories"; see Figure 3 for more information:

http://h10025.www1.hp.com/ewfrf/wc/...egory&product=94936&dlc=en&docname=c00034290#

BTW, feel free to let HJT eliminate that useless Real Player button for you:

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

Other than the known issues with the dialer entry and CTFMON (which happens to be an actual MS file, not malware), the HJT log is clean.

As for CTFMON, we'll just put it on a back-burner for now, and if I stumble across anything that might help you eliminate it in the future, I know where to find you...

Once again, you have more than enough to keep you busy for quite a while, so I'll end this now and watch for your reply.

Don't rush this, don't get frustrated; nothing happens to be seriously BROKEN right now, so this is more for training and education than anything else, to better prepare you as the in-house tech support for your family and friends.

Have fun learning, and don't be afraid to apply some "wall-to-wall counseling" if the laptop decides to misbehave; you know, first you bounce it off one wall, then you bounce it off another wall, and keep doing it until the entire thing completely disintegrates...


----------



## tjcrm (Dec 5, 2005)

Thanks so much for the all links you provided. I have read them and others from those pages too. 

The links to upgrading the RAM where perfect. The "right" keywords are most important in searching. I was not using the right ones to search with for sure. I was very pleased to see the RAM will be located in the access panel and not under the keyboard. I am still waiting for the RAM to arrive. First there was a problem with my ordering 3 times in 2 months time -- some garbage about protecting me from fraudulent charges. They weren't big orders! Then they were doing inventory and now it is on backorder. Guess I'm learning why some people don't like Tiger Direct!

Thank you for teaching me to make a registry backup. I will be passing that information onto older daughter and son. I might even show younger daughter how to export the backup. It is easy on the XP computers. I setup a "c:\Registry Backup" folder on each of the computers. When exporting from XP it always opens that folder. When exporting from the Win98 I have to "look" for that folder. Should restoring the registry backup be used instead of a Windows system restore? The Win98 computer came with a neat program that has saved me numerous times, it is called "Go Back". I was not able to install it on the XP computers though.

I ran Disk Cleanup. I have a funny story with this. I ran it on daughter's laptop first and when I saw the size of the Temp Internet files (9,704KB) and Temp Files (5.375KB), I thought, "WOW, that is a lot!" Then I went to the other computers (which I thought I was good about deleting internet files on) and the Temp Internet files where 109,462KB and 86,871KB. Since that time I have found out how to translate KB to MB to GB. 

The bad news is that Disk Cleanup did not get rid of the file:
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
I was hoping it would. I keep having HJThis fix this line and when I reboot it comes back.

I did take care of this file in the HJThis program:
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

Again, thanks for ALL your help and understanding.

Roseann


----------



## tjcrm (Dec 5, 2005)

Daughter is still complaining that the computer is SLOWWWW. I'm hoping that the RAM (once it arrives) will help with that problem. 

The other problem she is complaining about is that she cannot "right click" on a file, My Computer or even the c: drive without an insta-shield for Symantec coming up. She can however right click on the desktop without the insta-shield starting. It is very frustrating. I think she was trying to organize A TON of music files and every time she right clicked them, she needed to cancel the insta-shield from running. Finally, she took her external drive and connected it to the XP desktop upstairs. That was the short-term fix. I was wondering what the TRUE fix for this problem is. I was thinking about uninstalling and reinstalling Nortons from the computer ... she mentioned something about the school gave her that program to put on her machine ... disks?? If she has the disks they are not with her right now, probably back in the dorm room.

I KNOW there is a solution to this problem. I can think of several and one of them could be "wall-to-wall counseling". I'm just not sure if I want to do it to the machine or the daughter.  

Thanks AS ALWAYS for your help.

Roseann


----------



## tjcrm (Dec 5, 2005)

I've been doing a little research on the "right click" problem. 

Apparently we are missing a file named "symantec antivirus.msi". I have figured out now that she has Symantec Antivirus Corporate 10 installed on her computer. I thought it was strange that she would have a corporate edition and inquired some more. Now the truth comes out that a friend installed it on her computer and she DOES NOT have any disks. I have been searching the internet for a copy of this file. It seems that until Symantec gets this file, whenever we right click on an icon or a file it is going to start the installation wizard. 

This is the DRAMATIC daughter ... she has been threatening everyone that she is going to take one of the other computers back with her to college because hers is a giant paperweight! We are mostly trying to ignore her comments (I guess by that I mean ME). Glad you don't live close enough to hear the fighting that was going on in my house today with ALL the kids!!

She also decided that we should take AOL off her computer because that will free up more space. I went into add/remove programs and deleted it from there. 

I will be glad when we get her computer all straightened out.

Thanks for your help.

Roseann


----------



## sammysosa (Nov 25, 2005)

Well, YOU'VE certainly been keeping busy! I've actually written a response to you several times over the last week now, but fate has conspired against me. I've written detailed information (no surprise there, right?), only to have it completely wiped out for some stupid reason or another, which is infuriating...

I'll try to hit the high points in this, and go into more detail about a few issues NEXT time I post here; I'm on the verge of collapse once again, and really need to sleep a few hours.

FWIW, I realize that my last few posts could overwhelm you; I posted several links for you, and usually, links lead to links, which lead to links, which leads to... and the next thing you know, you've been reading for HOURS and everything you've PLANNED to do is now behind schedule.

Along with possible information overload and potential burnout, I wanted to give you time to absorb everything you've read and learned so far; learning is great, but retaining the knowledge is critical.

Here's something to think about; what is the single worst mistake people make when they work on a laptop computer?

I don't believe I've mentioned this previously in this thread, but the answer is probably mentioned in one (or more) of the links on how to service a laptop I've posted. If you think about it when you're rested, and have the chance to actually examine a laptop while you think about it, this answer will come to you:

Probably the SINGLE MOST IMPORTANT step that people FORGET to do when working on a laptop is to REMOVE THE BATTERY before you do ANYTHING else!

Please keep that in mind; replacing the SO-DIMMs (Small Outline DIMMs) in a laptop can be even easier than the same procedure in a desktop system (as long as you don't have to remove the keyboard), but ALWAYS remove the battery BEFORE you start to disassemble a laptop. Leaving the battery in is a recipe for BAD medicine...

BTW, if you ever DO have to remove a keyboard from a laptop, it is usually attached to the rest of the system by a VERY fragile ribbon cable. The cables are easy to damage right out of the box; even worse, they tend to become brittle with age, and even MORE likely to cause problems (from the effects of incidental damage), so a word to the wise...

That laptop is SERIOUSLY hampered by the lack of RAM; XP is a true resource hog, and it INHALES any RAM you provide. Even though that system isn't an ideal candidate to run WinXP (due to CPU speed, the size of the HDD, and the limited RAM capacity, just to name a few reasons), but it can be made to work acceptably well, and I understand why you installed XP on it. WinXP should boot noticeably faster once you install the extra DIMM, though it will NEVER boot fast enough to satisfy ME... but that's because I'm "difficult"...

To be BRUTALLY honest with you, MANY years ago, the Norton programs were the best available. Over the last five years or so, the quality has slipped to the point where I stopped using them in favor of less resource-intensive alternatives. Since you have a little more time to consider this before your "dramatic" daughter returns to school, you might want to consider running Add/Remove to dump the Symantec products, and install some alternative FREEWARE programs instead. Though I'm too tired to suggest anything now, please give this some thought (but DON'T make any decisions just yet!); you have the luxury of time on your side, so for now, I'll simply ask you to look in Add or Remove Programs to identify the Norton / Symantec apps, and post that information here. Once we know what you're using, we'll be able to review your options on which software would be suitable. I hate thinking your daughter is using bootleg software, regardless of how well-intentioned her friend was, so let me know which Norton programs are installed, and we'll consider some options for you.

Well, I'm falling asleep as I type this, so I'll post it now, then try to follow up on it with you later.

Take care, Roseann; here's hoping you have a more peaceful day today than yesterday, and don't forget the Court of Last Resort: If your kids INSIST on aggravating you, it ISN'T too late to ship them off to a military school. I've encouraged several friends to at least THREATEN their offspring with such a fate, and you'd be amazed how much better kids will behave when they finally realize that the good times are about to come to a screeching HALT!

Yes, they are the TRUE "fruit of YOUR labor", but that doesn't mean that you can't get them into the Army-Navy Academy in San Diego on short notice:

http://www.armyandnavyacademy.org/

http://www.armyandnavyacademy.org/prospective_cadets/

Though there are several other choices available to you, the Army-Navy Academy is one of the best schools in the world for kids who need a wake-up call, and if you send them there, you won't have to run away and join a circus...

See you in the forums, or somewhere in the ether...


----------



## tjcrm (Dec 5, 2005)

OH NO. Now I know how you feel ... I just typed a whole response to you and then everything was gone ... just like that! That's why I hate typing on a laptop. The keys are too close together and I feel squished. I don't know what I hit, but I was on another page altogether. When I got back to this one everything I typed was gone.

Thank you again for the reminder to remove the battery. I will not forget to remove it ... just mention the work "shock" and I won't go near whatever it is. This brought up memories of my brother torturing me to "lick the battery, it feels good!" The RAM should be arriving this week.

I discussed with my daughter how she would like to handle the Nortons problem and she just said "delete it"! That was surprisingly easy.

When I looked in the add/remove this is what I found out about Nortons:
Symantec Antivirus Corporate Edition Version 10.0.359.0

Here is the HJThis log for daughter's laptop:

Logfile of HijackThis v1.99.1
Scan saved at 4:45:29 PM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - 
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPodService - Unknown owner - E:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

I think I made a BIG booboo when I deleted the AOL off her computer. Now I have three files that I cannot get rid of. I have "fixed" them with the HJThis and rebooted and everytime I reboot them are back.

The three files are:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - 
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} -

This other file is because we do not have her e: drive plugged into her laptop at the moment:

O23 - Service: iPodService - Unknown owner - E:\Program Files\iPod\bin\iPodService.exe (file missing)

After seeing what happened when I removed AOL with the "add/remove", should I attempt to remove Nortons the same way?

Thanks for all your help.

Roseann


----------



## Jedi_Master (Mar 13, 2002)

> I have figured out now that she has Symantec Antivirus Corporate 10 installed on her computer. I thought it was strange that she would have a corporate edition and inquired some more. Now the truth comes out that a friend installed it on her computer and she DOES NOT have any disks.


My advice to you at this point is to uninstall Symantec Antivirus and install AVG what she has installed is illegal...


----------



## sammysosa (Nov 25, 2005)

Well, this is going to get a little complicated...

You posted this, about three files you're having problems with:

"The three files are:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} -

O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} -"

The FIRST one is actually part of Spybot S&D:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

I THINK you meant to paste this one instead:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

That fragment is part of the Google Toolbar, probably a remnant of removing AOL. It won't cause any problems, and the easiest way to fix it would be to run the Registry cleaning component of Crap Cleaner, which should find and eliminate it without a fuss.

After that, if you decide you want the Google Toolbar again, you can download the Firefox / Mozilla Suite Toolbar from here:

http://toolbar.google.com/firefox/index.html

and you'll find the IE version available here:

http://toolbar.google.com/index_2

Check these links while you're thinking about Google:

http://pack.google.com/

http://www.google.com/intl/en/options/

That SECOND listing:

1D0D9077-3798-49BB-9058-393499174D5D

is from the DIALER.EXE program we can't locate. Again, Crap Cleaner should find and eliminate it without a fuss. I didn't tell you that previously, because I hoped the "missing" dialer ActiveX file would reappear and allow us to delete it, but I now believe we're only dealing with a remnant cleaned off by Spybot or something else, so we'll let CCleaner take care of that bit of housework as well.

The LAST item:

37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40

is in fact a fragment leftover from AOL, part of the "AOL Coach" program, which handles "AOL Auto Fixes". Again, CCleaner should make short work of it when you clean the Registry. As you can see, YOU didn't actually cause ANY problems; those are just fragments from the dialer and the AOL uninstallation process, and CCleaner and other programs are designed to eliminate such things, which saves you the aggravation (and potential danger) of manually editing the Registry yourself just to eliminate a few scraps.

Anyway, the rest of the log is clean, but I did notice that Dr. Watson (a Windows tool) is running, so I wonder if you've had any problems with that system recently. We'll leave it alone for now, but it is actually somewhat helpful in diagnosing software problems that lead to system crashes; I know, you can't BELIEVE Microsoft put something USEFUL into Windows, but they actually designed it to make analyzing problems easier on their in-house geeks. The original Dr. Watson program goes WAY back to Windows 3.1, which was released in 1992! It was MIA for Win9.x, but it has been updated and reinstated with the release of WinXP. There are some complaints about Dr. Watson causing problems with some software, but as long as it doesn't cause problems for YOU, we won't overreact here...

Thanks for reminding me about the iPod entry...

By all means, run Add/Remove on the Symantec AV Corp. Ed.; I didn't want you to make any changes to it until I was able to think more clearly (still suffering from lack-of-sleep) on a small-footprint alternative for that laptop, but Jedi_Master was kind enough to suggest AVG Antivirus, and I won't argue with that.

I WOULD like you to run CCleaner on the Registry errors FIRST, just to refresh your memory on how to use it (find the "Issues" button in the left panel of CCleaner; it uses the traditional "Registry" icon MS has been using since the days of Win3.1, although editing the Registry in THOSE days was not something an end-user could accomplish. Instead, we edited .INI files...

Anyway, please download AVG from the link that was so kindly provided:

http://free.grisoft.com/doc/2/lng/us/tpl/v5

but do NOT install it UNTIL you've done everything else listed in the next paragraph. You do NOT want two AV programs on the same system, which is just asking for problems...

First, run CCleaner, then reboot, then run Add/Remove for the Symantec stuff, then reboot and run CCleaner again, then reboot a THIRD time, then run HJT BEFORE you open any other programs, and post a fresh HJT log when you can.

My best to you and yours; if you don't want to ship the kids all the way to nice, warm San Diego, you can always enroll them in the New York Military Academy (NYMA), which is near West Point, on the north side of Storm King Mountain, in Cornwall-on-Hudson... I know you're on the east coast, so that would be a lot closer, if not also a lot COLDER...

No rush on doing this; I realize how busy you must be with the Drama Queen and her entourage... 

Well, I'm all bleary-eyed again, and have to keep rubbing my face to stay awake, so I'll take that as a hint, and stop here.


----------



## tjcrm (Dec 5, 2005)

I ran the ccleaner and rebooted, removed symantec and rebooted, ran ccleaner again and rebooted and now just ran the HJThis. Oh, and somewhere in there I installed AVG.

Thanks Jedi_Master and Sammy that is the program I have running on all my other machines. So it was a no-brainer for me. I feel very comfortable with AVG.

I disabled her AIM and DEAD AIM while I was rebooting because they take a long time to load. It made a BIG difference. It still took me almost an hour and a half to complete this whole task (with all the rebooting)!

Here is the latest HJThis log for her laptop:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:28 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - 
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - 
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


----------



## tjcrm (Dec 5, 2005)

The new RAM came the other day. I installed the new 256MB RAM in the laptop -- no problem.

I did notice something interesting though. When I was on the crucial.com website, it reported that the computer had one slot of 128MB RAM and it could only be expanded to 256MB. So I ordered the 256MB and removed the supposedly 128MB. When I checked in the device manager BEFORE installing, it reported 124MB (I assume that the video card is using the 4MB.) When I checked the device manager AFTER installing the 256MB of RAM, it was reporting 314MB. (1) The RAM I removed was only 64MB and (2) the computer recognizes more than 256MB.

So I went back in to see if there was another slot somewhere that I could locate. There were two access panels on the bottom of the computer. The first one I opened contained the ONE slot of RAM. Under the other access panel looked like something else ... ?? Motherboard maybe?? Definitely not another RAM slot.

As you know, I am not too computer savvy. Is there an unremovable 64MB RAM?

Anyway, the daughter is happy enough with the way it is working! She says, "It has never been this fast before!!!" (You know I was looking to see if I could add more RAM because if I could make it even faster ... I'd be the hero! ... with your help of course)

As always, thanks for your help and encouragement.

Roseann


----------



## Jedi_Master (Mar 13, 2002)

Yes the first 64 meg RAM is soldered onto the motherboard, as it is with many laptops...

Glad the laptop is working up to your daughters expectations ( I know I have a daughter and if the pc isn't working right to her...well there's all he11 to pay  )...


----------



## tjcrm (Dec 5, 2005)

Thanks Jedi_Master!

Sounds like our daughter's are similar, but I can't blame them. It is frustrating when the computer is not working right. (Only I try to fix it ... daughter just complains.)

Roseann


----------

