# Solved: may have a virus, positive i do



## gmcsierra99 (Dec 7, 2005)

i get alot of pop-ups, and the computers real slow, it has 2 have a virus, or some kind of nasty, because theres no anti-virus programs  , BTW, i got this computer today, i found it in the trash, around the block  , i took it home, 2 see what it was missing, seen everything, but no power supply? soo i went back over there and found it, torn apart  , and the case was right next 2 it, soo i take it home, put everything back together, and what do you know? it works!!, unbelieveable  , it's a Compaq Presario 5155, Windows 98SE, had 128MB RAM, now 256MB, has a slot 4 another 1, maybe i'll put another module in?, anyway im going 2 download AVG, and Ad-Aware 4 now, also im going to post a HJT log, thanks 4 any help :up: :up: :up: .


----------



## gmcsierra99 (Dec 7, 2005)

downloaded AVG, and Ad-Aware, and their both updated, i also downloaded HJT, and here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:10 AM, on 4/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\MWSVM.EXE
C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN\BARGAINS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\180SEARCH ASSISTANT\180SA.EXE
C:\PROGRAM FILES\CLOCKSYNC\SYNC.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=yahoo_v.1_ie&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=862CB7C9-3F97-4319-9631-72659D26B27F&version_id=18
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL (file missing)
O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O2 - BHO: (no name) - {12D04660-200E-11D8-86F9-0040D0040D62} - C:\WINDOWS\SYSTEM\NVETDI.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\BIN\APUC.DLL
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - C:\PROGRAM FILES\180SEARCH ASSISTANT\180SAHOOK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL
O3 - Toolbar: PWRSWMDA - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [websearch] wjview /cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe 
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [3BTW6X7282RZRD] C:\WINDOWS\SYSTEM\Vich.exe
O4 - HKLM\..\Run: [KeenValue] C:\Program Files\Common files\KeenValue\KeenValue.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [NTXAHKN] C:\WINDOWS\NTXAHKN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [180sa] c:\program files\180search assistant\180sa.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\SAVE\Save.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\SYSTEM\TD.exe
O9 - Extra 'Tools' menuitem: Turbo Download - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\SYSTEM\TD.exe
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/OPTIAOL2/optimize.cab?id=5121828
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe


----------



## awergh (Jan 13, 2006)

GMT.exe, CMESYS.EXE, BARGAINS.EXE, 180SA.EXE, MWSVM.EXE, SYNC.EXE, SAVE.EXE
are all spyware\adware so i suggest you do a scan and that you download spybot search and destroy as well adaware doesnt get it all
http://www.safer-networking.org/en/index.html
http://fileforum.betanews.com/sendfile/1043809773/1/spybotsd14.exe


----------



## flavallee (May 12, 2002)

You found a computer in the trash and got it to working? Lucky you. 

-------------------------------------------------------------------------------------

It's got way too many unnecessary programs running in the background, so we need to trim down the startup list.

Click Start - Run, type in MSCONFIG, then click OK - "Startup" tab. Remove the checkmark from:

*TaskMonitor* taskmon.exe

*LoadPowerProfile* LoadCurrentPwrScheme

*AtiCwd32* Aticwd32.exe

*AtiKey* Atitask.exe

*RealTray* RealPlay.exe

*QuickTime Task* qttask.exe

*LoadPowerProfile* LoadCurrentPwrScheme

*SchedulingAgent* mstask.exe

Click Apply - OK afterwards, then reboot.

(These are the more obvious ones. We'll trim down the startup list even more later)

-------------------------------------------------------------------------------------

Make use of both

*Ad-Aware SE Personal 1.06

Spybot - Search & Destroy 1.4*

to get rid of the spyware and "nasties". Make sure to run their update function and install all available updates before running a scan with them. Select and fix everything that Ad-Aware finds. Select and fix everything in red that Spybot finds. Run Ad-aware first and Spybot second.

Reboot again.

-------------------------------------------------------------------------------------

Click Start - Find - Files And Folders, select the hard drive ( C: ) to look in, then delete everything that appears under:

*C:\WINDOWS\TEMP\*.*

C:TEMP\*.** (Not all computers have a C:\TEMP folder)

**.OLD

*.CHK

*.BAK

MSCREATE.DIR*

(Make sure to reset "Look In" to the C: drive after doing each one)

Reboot again.

-------------------------------------------------------------------------------------

After you've done all of the above, post a new HijackThis log here.

There's more work to do.

-------------------------------------------------------------------------------------

To tell you the truth, you'd be better off with formatting the hard drive and doing a fresh install of Windows 98SE because it's going to be almost impossible to completely clean out all the useless programs and stray files and registry entries.

The support and software updates site for that computer is located here. Make use of it.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

about time Ad-Aware finished, i quarantined 670 Objects , thats alot, now im going to run Spybot, and if i had the windows 98SE CD, then i would re-install Windows. that would make it alot easier.


----------



## Cheeseball81 (Mar 3, 2004)

I would do this next.....

* *Click here* to download *Webroot SpySweeper*.

(It's a 2 week trial.)

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.


----------



## gmcsierra99 (Dec 7, 2005)

ok, i just ryed 2 search 4 them files and folders, but when i slect lookin C:, and paste the file/folder name, it looks in C:\WINDOWS\TEMP\? is this normal?

and thanks cheeseball 4 your reply :up:, i'll do what you said right now.


----------



## flavallee (May 12, 2002)

Don't paste anything in the window. Just type in each one like I have them listed, make sure the hard drive is selected to look in, then click "Find Now".

Don't just type in C:\WINDOWS\TEMP

You need to type in C:\WINDOWS\TEMP\*.*

What typing in **.** does is to bring up everything inside the TEMP folder so you can delete it.

--------------------------------------------------------------------------------------

Reinstalling Windows 98SE over itself isn't going to do anything to get rid of all the junk in that computer, so there's no need to do it.

--------------------------------------------------------------------------------------

Make use of Webroot Spy Sweeper like CheeseBall81 suggested. It's a very good spyware detection-and-removal utility and can actually do a better job than Ad-Aware and Spybot combined.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

i dont know, i just tryed 2 find them files but when i type them in the Named spot, and select look In the C:, the name i typed in the Named spot, goes 2 the Look In spot?


----------



## flavallee (May 12, 2002)

Do you know how to find and open the C:\WINDOWS\TEMP folder? You can empty the TEMP folder manually instead of using the "Find" applet. Once the TEMP folder is open and you can view its contents, click Edit - Select All(which will highlight everything), then click File - Delete - Yes.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

how do i find the TEMP folder in Win.98SE?


----------



## flavallee (May 12, 2002)

Double-click MY COMPUTER.

Double-click the hard drive ( C: ) icon.

Double-click the WINDOWS folder.

Double-click the TEMP folder.

------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

2,415 files was in there. im deleting them now.


----------



## flavallee (May 12, 2002)

That doesn't surprise me there's that many if the C:\WINDOWS\TEMP folder hasn't been emptied in a long time.

Keep them in the Recycle Bin for a couple of days, then you can empty it.

You might try to remember to do this about once or twice a month as part of your computer maintenance. :up: 

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

yeah, well, i do it just about everyday on my Dell. :up:, right now im running Webroot, it's going 2 be done around 12:20, thats what it says.


----------



## gmcsierra99 (Dec 7, 2005)

im looking 4 Windows updates right now, and it found 29 Critical Updates , this computer must'venot really been ran. i check ed out some of the files i found on here, and some of them havent been used since '03.


----------



## flavallee (May 12, 2002)

Go ahead and empty the Recycle Bin so you can reclaim the hard drive space. After you empty the Recycle Bin, right-click the hard drive icon in MY COMPUTER, then click Properties. What does the pie chart show for hard drive size, free space, and used space?

-------------------------------------------------------------------------------------

*Webroot Spy Sweeper 4.5.9* is a very good utility, which is why I paid the $30.00 to buy a subscription to it for a year. Depending on the number of files it has to check, it'll take 20 - 30 minutes or longer to run.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

2.19GB used, and 5.28Gb free.


----------



## gmcsierra99 (Dec 7, 2005)

i ran SpySweeper like 3-4 times, and it never finished, im just goiing to run a Panda Scan.


----------



## flavallee (May 12, 2002)

After you start Webroot Spy Sweeper and allow it to start sweeping, it should tell you approximately how much time is left before it gets done. Once it gets down to "Less than 1 minute", it'll be almost done. Depending on which computer I use it on, it takes over 20 - 30 minutes to run. Make sure you're offline and have turned off your anti-virus program before running a sweep with it.

-------------------------------------------------------------------------------------

I need you to post a new HijackThis log so I can recheck its "O4" list.

--------------------------------------------------------------------------------------

Right-click the Recycle Bin icon, then click Properties. Move the slider from its default value of 10% back to about 5%, then click Apply - OK. Doing that will prevent the Recycle Bin from having 10% of the hard drive's size from being dedicated to it.

---------------------------------------------------------------------------------------


----------



## Cheeseball81 (Mar 3, 2004)

Did you try running SpySweeper in Safe Mode?


----------



## gmcsierra99 (Dec 7, 2005)

Flavallee: last night, and the night before, i let the computer run spy sweeper over night and the computer freezes. i know it will take well over 3 hours 2 finish, on this computer.

Cheeseball: no i didnt should i do that?


----------



## gmcsierra99 (Dec 7, 2005)

and here's a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:14:51 PM, on 4/12/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=yahoo_v.1_ie&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe
O4 - HKLM\..\Run: [3BTW6X7282RZRD] C:\WINDOWS\SYSTEM\Vich.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## flavallee (May 12, 2002)

Click Start - Run, type in MSCONFIG, then click OK - "Startup" tab. Remove the checkmark from:

*KB891711*

*QuickTime Task*

Click Apply - OK afterwards, but don't reboot yet.

Click Start - Find - Files And Folders, select the hard drive to look in, type in:

*891711*

then click Find Now. When the list of files appear with that 6-digit number, delete all of them that do.

Repeat the steps and type in:

*Qttask.exe*

When the file appears(which should have a blue "Q" icon next to it), delete it.

Now you can reboot.

--------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, i typed in 891711, it found 3 entries, but 1 starts with windows? should i leave that 1 alone?


----------



## gmcsierra99 (Dec 7, 2005)

i just tryed 2 delete the Qttask 1, and it said it cannot be deleted, being used by Windows.


----------



## Cheeseball81 (Mar 3, 2004)

I would give it a try in Safe Mode, yes.


----------



## gmcsierra99 (Dec 7, 2005)

ok, im doing that right now, still got, well it says 148 minutes, but im sure it will take longer, making prgress, it started at 170 minutes.


----------



## flavallee (May 12, 2002)

Delete ALL the files that have *891711* as part of the file name, regardless of their location.

I was afraid that *qttask.exe* would resist getting deleted.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, Spy Sweeper finished, here's the log:


----------



## gmcsierra99 (Dec 7, 2005)

and i deleted all with 891711.


----------



## Cheeseball81 (Mar 3, 2004)

Also post a new Hijack This log.


----------



## gmcsierra99 (Dec 7, 2005)

new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:04:21 PM, on 4/12/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=yahoo_v.1_ie&bm=yh_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe
O4 - HKLM\..\Run: [3BTW6X7282RZRD] C:\WINDOWS\SYSTEM\Vich.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## Cheeseball81 (Mar 3, 2004)

* *Click here* to download *KillBox*.

Save it to your desktop.
*DO NOT* run it yet.

Go here: http://www.thespykiller.co.uk/html/downloads.html
Download the *Peper Trojan Uninstaller*.

Run the Peper Fix - Just click on the uninst.exe and let it run. 
When it is finished it will just close. There will be no dialogue. 
Also you must be connected to the internet for the Uninstaller to be effective.

Post a new Hijack This log.


----------



## gmcsierra99 (Dec 7, 2005)

new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 6:22:03 PM, on 4/12/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=yahoo_v.1_ie&bm=yh_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe
O4 - HKLM\..\Run: [3BTW6X7282RZRD] C:\WINDOWS\SYSTEM\Vich.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\SYSTEM\dxdllreg.exe 
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [MPE0] rundll32.exe streamci,StreamingDeviceSetup {8E60217D-A2EE-47f8-B0C5-0F44C55F66DC},GLOBAL,{FD0A5AF4-B41D-11d2-9C95-00C04F7971E0},C:\WINDOWS\INF\mpe.inf,BDAcodec
O4 - HKLM\..\RunOnce: [STREAMIP0] rundll32.exe streamci,StreamingDeviceSetup {D84D449B-62FB-4ebb-B969-5183ED3DFB51},GLOBAL,{71985F4A-1CA1-11d3-9CC8-00C04F7971E0},C:\WINDOWS\INF\streamip.inf,BDAcodec
O4 - HKLM\..\RunOnce: [SLIP0] rundll32.exe streamci,StreamingDeviceSetup {03884CB6-E89A-4deb-B69E-8DC621686E6A},GLOBAL,{FD0A5AF4-B41D-11d2-9C95-00C04F7971E0},C:\WINDOWS\INF\slip.inf,VBIcodec
O4 - HKLM\..\RunOnce: [CCDECODE0] rundll32.exe streamci,StreamingDeviceSetup {562370a8-f8dd-11d2-bc64-00a0c95ec22e},GLOBAL,{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F},C:\WINDOWS\INF\CCDECODE.inf,CCDECODE.Interface.Install
O4 - HKLM\..\RunOnce: [NABTSFEC0] rundll32.exe streamci,StreamingDeviceSetup {07DAD662-22F1-11d1-A9F4-00C04FBBDE8F},GLOBAL,{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F},C:\WINDOWS\INF\NABTSFEC.inf,NABTSFEC.Interface.Install
O4 - HKLM\..\RunOnce: [WSTCODEC0] rundll32.exe streamci,StreamingDeviceSetup {70BC06E0-5666-11d3-A184-00105AEF9F33},GLOBAL,{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F},C:\WINDOWS\INF\WSTCODEC.inf,WSTCODEC.Interface.Install
O4 - HKLM\..\RunOnce: [DXDLLREG_0] rundll32.exe C:\WINDOWS\SYSTEM\advpack.dll,LaunchINFSection C:\WINDOWS\inf\dxdllreg.inf,DXRenFiles,1,N
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## Cheeseball81 (Mar 3, 2004)

Rescan with Hijack This.
Close all browser windows except Hijack This.
Put a check mark beside these entries and click "Fix Checked".

*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe

O4 - HKLM\..\Run: [3BTW6X7282RZRD] C:\WINDOWS\SYSTEM\Vich.exe*

Close Hijack This.

Boot into Safe Mode.

* Double click on Killbox.exe to run it.

Put a tick by *Standard File Kill*.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\svchost32.exe
C:\WINDOWS\SYSTEM\Vich.exe*

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new Hijack This log.


----------



## gmcsierra99 (Dec 7, 2005)

new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:36 PM, on 4/12/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=yahoo_v.1_ie&bm=yh_home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## Cheeseball81 (Mar 3, 2004)

How are things now?


----------



## gmcsierra99 (Dec 7, 2005)

still slow.


----------



## gmcsierra99 (Dec 7, 2005)

freezes accasionally.


----------



## Cheeseball81 (Mar 3, 2004)

Has this system ever been defragged?


----------



## gmcsierra99 (Dec 7, 2005)

probrably not, like i said in my 1st post, i found it in th trash, i just got it sun., i added another 128MB stick, total of 256, and it has a 350MHZ processor, it should be alot faster then this. also, i have another available port 4 RAM, is it possible i can stick another stick in there? another 128?


----------



## gmcsierra99 (Dec 7, 2005)

also, when i try 2 run a Panda scan, ActiveX ber thing dont pop up? and i get a message?


----------



## gmcsierra99 (Dec 7, 2005)

i just tryed Kaspersky 2, and no luck, it said that ActiveX couldnt downloador something, and it said that my IE controls must be at Medium level.


----------



## gmcsierra99 (Dec 7, 2005)

i just checked at my IE is at Medium level.


----------



## Cheeseball81 (Mar 3, 2004)

I would defrag it.

Makr sure ActiveX is set like recommended here: http://www.jfitz.com/tips/ie_security_config.html


----------



## gmcsierra99 (Dec 7, 2005)

alright i did that, what else is there 2 do? it's still running sluggish.


----------



## Cheeseball81 (Mar 3, 2004)

Defrag done?

You can also uninstall SpySweeper.


----------



## gmcsierra99 (Dec 7, 2005)

no, it's still defraging, i ment i done the ActiveX stuff.


----------



## gmcsierra99 (Dec 7, 2005)

defrags done, what else 2 do?


----------



## gmcsierra99 (Dec 7, 2005)

i just tryed 2 download Windows Media Player 9, becuase the 1 on here is Media Player 7, and 10 isnt compatible with Windows 98SE, soo, i downloaded Media Player 9, and got no Download File box? i think this ActiveX thing is knocking everything out of wack .


----------



## Cheeseball81 (Mar 3, 2004)

I have to go to bed. I won't be around much tomorrow, so maybe Flav will have some suggestions.


----------



## gmcsierra99 (Dec 7, 2005)

yeah, ActiveX is deffinately screwing everything up.


----------



## gmcsierra99 (Dec 7, 2005)

yeah, hopefully, im sure he will, i need some sleep 2, it's 12:52 in the morning over here , goonight.


----------



## flavallee (May 12, 2002)

Leave *Windows Media Player 7.1* alone and don't install version 9 because it'll probably be too much of a graphic and memory load on that old dinosaur.

Post another HijackThis log so I can look at it. We need to get rid of some O4 startup entries that seem to have reappeared.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

well i already loaded 9 , i opened it last night, and it wasnt slow.

new HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:13:19 PM, on 4/13/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/port...NDEzMDUzODM2JTI2&.ys=XINQunGO53vNKzt0f1HPNw--
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## flavallee (May 12, 2002)

Go back into the MSCONFIG "Startup" tab and remove the checkmark from:

*CriticalUpdate* (wucrtupd.exe)

*KB891711* (KB891711.EXE)

You probably don't need this one:

*MSDTC* (msdtcw)

running in the background either and can uncheck it. Read here.

Click Apply - OK, but don't reboot yet.

Click Start - Find - Files And Folders, select the hard drive ( C: ) to look in, type in:

*891711*

then click Find Now. When the list of files and folders appear, delete all those that have that 6-digit number as part of the file name.

Now, you can reboot.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, and this computers still infected, because when either i startup, or restart, the AVG Bootup Scanner says theres a virus.


----------



## flavallee (May 12, 2002)

Do a full hard drive scan with AVG, then make note of what it finds and classifies as viruses. It should display a name or file path for whatever it finds. I don't use AVG myself, so I don't know exactly how it runs.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

alright, i'll do a scan.


----------



## gmcsierra99 (Dec 7, 2005)

ok, here the stuff:

C:\pp.hta
C:\index2.hta
C:\WINDOWS\ee98af.tmp


----------



## gmcsierra99 (Dec 7, 2005)

also, when Windows starts up, the folder Common pops-up?


----------



## flavallee (May 12, 2002)

*pp.hta* - it's a virus worm. 

Go here and read. There'll be a yellow square link for the removal tool at the top of the page.

*C:\index2.hta* - It's a virus worm. 

Go here, click the "Solution" tab, then read.

*ee98af.tmp* - It's a virus worm. 

Go here and read. There'll be a yellow square link for the removal tool at the top of the page.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, i'll do that, also is Activescan compatible with Windows 98SE? because i been trying 2 get it 2 run since last night, and it doesnt work? i dont get the install ActiveX install window.


----------



## gmcsierra99 (Dec 7, 2005)

do i need 2 boot into Safe Mode before running the tools?


----------



## gmcsierra99 (Dec 7, 2005)

ok, well i just ran it without booting into Safe mode, it just finished it said that 2 files were removed or something, well here's the log:

The file "C:\WINDOWS\el388.tmp" is deleted.

The file "C:\pp.gif" is deleted.

W32.Mimail has been successfully removed
from your computer!

Here is the report:

The total number of the scanned files: 15162
The number of deleted files: 2
The number of repaired files: 0
The number of viral processes terminated: 0
The number of registry entries fixed: 0

im going 2 download the others, and run them also.


----------



## gmcsierra99 (Dec 7, 2005)

where's the Removal Tool 4 C:\index2.hta?


----------



## gmcsierra99 (Dec 7, 2005)

and do i need 2 download the tool 4 ee98af.tmp? it looks like the 1 for pp.hta.


----------



## gmcsierra99 (Dec 7, 2005)

also, what would the solution 2 the common folder popping up on startup be? would that be the virus doing that?


----------



## Cheeseball81 (Mar 3, 2004)

You can use KillBox to remove those files you know


----------



## flavallee (May 12, 2002)

CheeseBall81:

Can you advise gmcsierra99 how to use KillBox? I know nothing about it.

-------------------------------------------------------------------------------------

gmcsierra99:

Per your previous report, did you run another hard drive scan with AVG and see if it came out clean this time?

-------------------------------------------------------------------------------------


----------



## Cheeseball81 (Mar 3, 2004)

Sure thing, Frank 

Same as we did earlier

* Double click on Killbox.exe to run it.

Put a tick by *Standard File Kill*.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\pp.hta
C:\index2.hta
C:\WINDOWS\ee98af.tmp*

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confirmation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist.
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*

Reboot


----------



## gmcsierra99 (Dec 7, 2005)

it says the Files Dont Exist.


----------



## flavallee (May 12, 2002)

Thanks, CheeseBall.  

I'm going to stay away from this thread for awhile, as I'm getting bombarded with replies from several other threads.  

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, thanks, you've helped me alot :up:.


----------



## Cheeseball81 (Mar 3, 2004)

How is the computer running? 

Ok Frank, I know what you mean. I haven't been on all day. I have tons to catch up on


----------



## gmcsierra99 (Dec 7, 2005)

it's still kinda slow, im going 2 run AVG and see what it picks up, should take a while soo you could probrabaly catch up on some threads .


----------



## gmcsierra99 (Dec 7, 2005)

should i boot in to Safe mode 2 killbox those files?


----------



## Cheeseball81 (Mar 3, 2004)

Yes. And if AVG detects infections in a location called !KillBox, don't be alarmed.
Those are just backups of files you've removed.


----------



## gmcsierra99 (Dec 7, 2005)

alright, Ad-Aware picked 12 things up.


----------



## Cheeseball81 (Mar 3, 2004)

What did it find


----------



## gmcsierra99 (Dec 7, 2005)

i clicked out of it, but would you like me 2 scn again and post a log?


----------



## Cheeseball81 (Mar 3, 2004)

Sure


----------



## gmcsierra99 (Dec 7, 2005)

AVG didnt find nothing. im going to re-scna with Ad-Aware right now. if ActiveSCan worked i would've scanned with that a long time ago , but i think i may have ActiveX issues.


----------



## gmcsierra99 (Dec 7, 2005)

ok here it is:

Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, April 13, 2006 11:15:45 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R103 10.04.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):12 total references
Tracking Cookie(TAC index:3):12 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

4-13-06 11:15:45 PM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291792789
Threads : 9
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294853649
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294867585
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294842257
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294873693
Threads : 35
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:6 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294877201
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE

#:7 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294797925
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright (C) Microsoft Corp. 1996-1998
OriginalFilename : STIMON.EXE

#:8 [AVGCC.EXE]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG FREE\
ProcessID : 4294774373
Threads : 5
Priority : Normal
FileVersion : 7,1,0,381
ProductVersion : 7.1.0.381
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:9 [AVGEMC.EXE]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG FREE\
ProcessID : 4294835129
Threads : 6
Priority : Normal
FileVersion : 7,1,0,371
ProductVersion : 7.1.0.371
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:10 [AVGAMSVR.EXE]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG FREE\
ProcessID : 4294809697
Threads : 7
Priority : Normal
FileVersion : 7,1,0,365
ProductVersion : 7.1.0.365
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:11 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294881157
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe

#:12 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294580421
Threads : 5
Priority : Realtime
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
ProductName : Microsoft® DirectX for Windows®
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2002
OriginalFilename : DDHelp.exe

#:13 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294541289
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:29
Value : Cookie:[email protected]/
Expires : 4-12-11 1:09:38 AM
LastSync : Hits:29
UseCount : 0
Hits : 29

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:259
Value : Cookie:[email protected]/
Expires : 4-12-11 11:14:10 PM
LastSync : Hits:259
UseCount : 0
Hits : 259

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:[email protected]/
Expires : 4-11-11 8:14:26 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 4-12-11 1:30:38 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:[email protected]/
Expires : 4-12-07 7:44:34 PM
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:[email protected]/
Expires : 4-10-16 1:22:54 AM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:13
Value : Cookie:[email protected]/
Expires : 4-11-09 7:31:12 PM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 6-21-09 8:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:[email protected]/
Expires : 4-10-11 8:00:00 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:[email protected]/
Expires : 12-31-20 7:59:58 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 12-31-37 8:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:[email protected]/
Expires : 4-3-07 3:31:24 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 12

Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

Disk Scan Result for C:\WINDOWS\SYSTEM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

Disk Scan Result for C:\WINDOWS\TEMP\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 24

11:17:52 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:07.480
Objects scanned:43366
Objects identified:12
Objects ignored:0
New critical objects:12


----------



## Cheeseball81 (Mar 3, 2004)

It just found tracking cookies which are nothing to worry about at all.

MRU objects are harmless as well. It's just a list of a user's most recently opened objects.


----------



## gmcsierra99 (Dec 7, 2005)

oo ok, it's still a little bit slow, it may just be like this, it's only 350MHZ, with 256MB RAM, it should be a little bit faster. 

here's what it says when i try 2 run ActiveScan, this is after when you type in your E-mail address:


Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: 

Not allowing the application's ActiveX control to be downloaded. 

Problems with the Internet connection. 

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...


----------



## gmcsierra99 (Dec 7, 2005)

also, at startup, the folder Common opens.


----------



## Cheeseball81 (Mar 3, 2004)

Post a new HJT log


----------



## gmcsierra99 (Dec 7, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 11:54:37 PM, on 4/13/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/port...NDEzMDUzODM2JTI2&.ys=XINQunGO53vNKzt0f1HPNw--
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## gmcsierra99 (Dec 7, 2005)

what is #03 Toolbar&Radio? i dont think i need that do i?


----------



## Cheeseball81 (Mar 3, 2004)

It's part of Internet Explorer Radio_Bar.

Open Hijack This.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*

Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## gmcsierra99 (Dec 7, 2005)

ok, here it is:

StartupList report, 4/14/06, 12:09:36 AM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
AVG7_CC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
HostManager = C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[{5A8D6EE0-3E18-11D0-821E-444553540000}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\INF\icw.inf,PerUserStub,,36

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsMsnPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsAttPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf

[OlsCompuservePerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf

[OlsProdigyPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf

[Shell3PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\WINDOWS\INF\shell3.inf

[NetservrPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection NetservrPerUser 64 C:\WINDOWS\INF\netservr.inf

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\CHANNE~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/4/2006, 23:34:2)

[rename]
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
[Rename]
NUL=C:\PROGRA~1\COMMON~1\VERIZO~1\YAHOO\YINSTH~1.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
SET PATH=%PATH%;"C:\Program Files\Microsoft SQL Server\80\Tools\Binn\"

--------------------------------------------------

C:\CONFIG.SYS listing:

*File is empty*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

*File not found*

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Java Plug-in 1.4.1_02]
InProcServer32 = C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
CODEBASE = http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

[Application Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\TSTEMP.DLL
CODEBASE = http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IFTW.OCX
CODEBASE = http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB

[{6BA1270C-B969-4234-B827-7B3BBB4F5FFC}]
CODEBASE = http://63.99.207.62/builds//build922/install.cab

[{31564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/wmvax.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{00000055-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/fhg.CAB

[IUpdateAutoLaunch Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IUPDAT~1.OCX
CODEBASE = http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx

[Java Plug-in 1.4.1_02]
InProcServer32 = C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
CODEBASE = http://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38817.7056828704

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
NDIS: ndis.vxd,ndis2sup.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *mtrr
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386
VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
VSERVER: vserver.vxd
NDISWAN: ndiswan.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 21,996 bytes
Report generated in 0.698 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Cheeseball81 (Mar 3, 2004)

How are your ActiveX settings currently set?

Please *RIGHT-CLICK HERE* to download Silent Runner's.
Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
*Do you want to skip supplementary searches?
click NO*

You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## gmcsierra99 (Dec 7, 2005)

ok, here it is:

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"HostManager" = "C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe" ["America Online, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [file not found]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [file not found]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" [file not found]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\CHANNE~1.SCR" (Channel Screen Saver.SCR) [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Windows Critical Update Notification" -> launches: "C:\WINDOWS\SYSTEM\WUCRTUPD.EXE" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\PROGRAM FILES\AIM\AIM.EXE" ["America Online, Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 21 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 45 seconds.
---------- (total run time: 112 seconds)


----------



## gmcsierra99 (Dec 7, 2005)

and i dont know what my ActiveX configuerations are, and dont know what they should be.


----------



## Cheeseball81 (Mar 3, 2004)

Go to Internet Options - Security - Internet, press 'default level', then OK. 
Now press "Custom Level."

In the ActiveX section, set the first two options "Download Signed and Unsigned ActiveX controls" to '*Prompt*', and "Initialize and Script ActiveX Controls not marked as Safe" to '*Disable*'.


----------



## gmcsierra99 (Dec 7, 2005)

ok i'll do that, but my screens screwed u? like the colors are messed up on the web page?


----------



## gmcsierra99 (Dec 7, 2005)

up*


----------



## Cheeseball81 (Mar 3, 2004)

When did this happen


----------



## gmcsierra99 (Dec 7, 2005)

it's been like this 4 a couple minutes now, whats under Default Level? is there an Apply and an OK?


----------



## gmcsierra99 (Dec 7, 2005)

beacuse i can see them.


----------



## gmcsierra99 (Dec 7, 2005)

cant*


----------



## Cheeseball81 (Mar 3, 2004)

Yeah it should look like this


----------



## gmcsierra99 (Dec 7, 2005)

i cant see anything below Default Level , it's like it's in Safe Mode, you know how the fonts are all big, along with th icons? maybe the onboard video cards going?


----------



## gmcsierra99 (Dec 7, 2005)

is there a way 2 take a screenshot in 98SE? i tryed Cntrl>Print SCreen and no luck.


----------



## Cheeseball81 (Mar 3, 2004)

Maybe. The drivers may need to be updated or reinstalled.
What's the resolution set to?


----------



## gmcsierra99 (Dec 7, 2005)

640x800, and my colors are at 256 colors, i cant set them 2 the highest because i cant click Apply.


----------



## gmcsierra99 (Dec 7, 2005)

640x480*


----------



## Cheeseball81 (Mar 3, 2004)

If you can move the slider up to the desired res, press the Tab button on your keyboard 4 times, press Enter. Then Enter again.


----------



## gmcsierra99 (Dec 7, 2005)

your the best :up:, perfect now, i dont know how the screen got screwed up? anyway, i'll go see what my ActiveX settings are now.


----------



## gmcsierra99 (Dec 7, 2005)

darn, i thought everything ws good now lol, well in Display Properties icant see Apply etc., even if i bring the window all the way up, as far as t goes, and my mouse is almost the size of the Safe mode 1.


----------



## gmcsierra99 (Dec 7, 2005)

still cant see anything under Default Level either.


----------



## flavallee (May 12, 2002)

I'm assuming that no scanner it connected to that computer, so you can go into the MSCONFIG "Startup" tab and remove the checkmark from:

*StillImageMonitor* (stimon.exe)

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

yeah, no scanner. would you have any idea why in Internet Options i cant see Apply etc., even if i can pull the window up all the way.


----------



## flavallee (May 12, 2002)

The "Apply" button stays greyed out until some changes are made in the Internet Options window that would require it to be clicked on to apply a change. Look at my screenshot.


----------



## gmcsierra99 (Dec 7, 2005)

yeah, but mines all screwed up, how do i take a screenshot in 98SE? i tryed Cntrl>Print Scrn and nothing.


----------



## flavallee (May 12, 2002)

What do you mean by "all screwed up"? Is the Apply button greyed out or is there another problem? 

I use *TechSmith SnagIt 7.2.5* for getting screenshots.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

another problem, how can i take a screenshot? i'll show you.


----------



## flavallee (May 12, 2002)

I've never used the Print Screen feature. I know it involves saving the screenshot image with Microsoft Paint or some other photo-image program.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, i downloaded that screenshot program, here's my screenshot of my hard drive pie, it looks just like this in Internet options, this pie is pulled up as far as it goes:


----------



## flavallee (May 12, 2002)

Your resolution is probably set at 640 X 480 and is making the windows too large, so they're taking up too much space and not allowing them to be completely seen.

Right-click an empty space on the desktop, then click Properties. When the Display Properties window appears, click the Settings tab. If the resolution is set to 640 X 480, move the slider to where it says 800 X 600, then click Apply. The monitor may black out for a couple of seconds, but that's normal. When the desktop reappears, accept the change.

-------------------------------------------------------------------------------------

From what I'm able to see on your desktop, you have too many unnecessary icons that don't need to be there. Some of them aren't needed and some of them can be accessed by using the Start menu.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

Cheeseball81 said:


> Go to Internet Options - Security - Internet, press 'default level', then OK.
> Now press "Custom Level."
> 
> In the ActiveX section, set the first two options "Download Signed and Unsigned ActiveX controls" to '*Prompt*', and "Initialize and Script ActiveX Controls not marked as Safe" to '*Disable*'.


ok, i did that.

Flavallee, that worked what you said :up:, thanks, but why did that do that?


----------



## gmcsierra99 (Dec 7, 2005)

im still thinking that theres still some kind of nasty on here, because it freezes occasionally. would overheating be doing this?


----------



## gmcsierra99 (Dec 7, 2005)

with those SctiveX settings, Active Scan still dont work.


----------



## flavallee (May 12, 2002)

Yes, overheating would cause a computer to freeze, restart, or shut down.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

then it must be overheating, it dont have a heatsink far in it, i try 2 keep it cool by sticking it near a window. i need a 2 pin fan, which i have, but the end's different.


----------



## gmcsierra99 (Dec 7, 2005)

here's the message im getting from Active Scan:


----------



## flavallee (May 12, 2002)

Sorry. I don't use *Active Scan* and don't know anything about it.

-------------------------------------------------------------------------------------

Don't get offended if I don't reply for awhile. You've been going practically non-stop with this thread since last night and we all need a break. I don't sit in front of this computer 24/7.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

yeah, i know lol, im sorry, i got stuff 2 do today anyway, soo i wont be back until later on tonite.


----------



## Flrman1 (Jul 26, 2002)

How about since you found it in the trash and there is obviously no data to lose; FORMAT C!


----------



## gmcsierra99 (Dec 7, 2005)

i would if i had the Windows 98SE CD , but dont got it, i was thinking about upgardaing 2 either Windows 2000, or possibly XP?


----------



## JohnWill (Oct 19, 2002)

Forget about an upgrade. Upgrading a malfunctioning version of Windows is a recipe for disaster! Do a clean install of Windows.


----------



## gmcsierra99 (Dec 7, 2005)

i have no windows CD.


----------



## gmcsierra99 (Dec 7, 2005)

i need 2 know what my ActiveX settings have 2 be, because when i run Activescan i get a error message, you guys know anything about AcitveX?


----------



## ~Candy~ (Jan 27, 2001)

gmcsierra99 said:


> i have no windows CD.


If you have no windows cd, then, I'm guessing you have no license for that copy of Windows. If you have no license for that copy of Windows, then realistically, we cannot assist you.

Your best bet would be to look to EBay and find a copy of Windows 98.


----------



## gmcsierra99 (Dec 7, 2005)

no, it's liscenced, i found this computer in the trash, i just did Windows Updates a ouple days ago, and it passed Validation.


----------



## ~Candy~ (Jan 27, 2001)

Windows 98 doesn't have to pass validation....unlike XP.

Just because it updates does not mean you have a legal license 

You found the computer in the trash. AT BEST, you STILL need to buy a copy of Windows.


----------



## gmcsierra99 (Dec 7, 2005)

oo ok , and yes, i am planning on getting 2000 installed on here, i think it would run pretty good.


----------



## ~Candy~ (Jan 27, 2001)

At least you'd have a fighting shot with a clean install


----------



## gmcsierra99 (Dec 7, 2005)

yeah .


could anybody tell me what my AcitveX setting should be? , if you guys/ladies know. i want 2 run Panda, soo i can make sure this system is deffinately clean.


----------



## ~Candy~ (Jan 27, 2001)

What error message are you receiving?


----------



## gmcsierra99 (Dec 7, 2005)

i'll be right back, im going 2 take a screenshot, sorry i keep asking if anybody knew what my ActiveX settings should be, i didnt think anybody seen the posts .


----------



## gmcsierra99 (Dec 7, 2005)

ok here it is:


----------



## ~Candy~ (Jan 27, 2001)

Go to tools, internet options, security, custom level, and allow active X, or at least choose to prompt.


----------



## gmcsierra99 (Dec 7, 2005)

choose prompt 4 everything that has 2 do with the ActiveX?


----------



## ~Candy~ (Jan 27, 2001)

Then choose ENABLE, you have nothing to lose.


----------



## gmcsierra99 (Dec 7, 2005)

everything under ActiveX controls and plug-ins are ENABLED, i tryed Panda and still get the error message.


----------



## gmcsierra99 (Dec 7, 2005)

bump.


----------



## ~Candy~ (Jan 27, 2001)

Well, then, it appears that the windows install is so messed up that it's not going to work. Let us know when you're ready to install another operating system.


----------



## flavallee (May 12, 2002)

As old as that computer is, you probably better stick with Windows 98SE. Get yourself a fully-bootable startup floppy disk and a full version Windows 98SE CD and you'll be good to go.

A hard drive format and fresh install of Windows 98SE is the best way to go. We've beat this thread to death and not solved your problems.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

soo eh reason ehy ActiveX doesnt properly work, is because Windows needs 2 be re-formatted? well how would a 350MHZ processor, 256MB RAM, run with Windows 2000?


----------



## ~Candy~ (Jan 27, 2001)

Each newer operating system requires better hardware, more ram, larger hard drive etc.

If someone actually THREW THIS COMPUTER AWAY....what does that tell you?


----------



## gmcsierra99 (Dec 7, 2005)

well, it's got a 8GB HD in this, my Dell has a 5.12 GB, with XP, and it runs great, anyway this has 6GB free space, i seen a thread on here, i think it was on here, and the dude put XP on a 300MHZ, or 35MHZ, and the reason why they probrably threw it away was because it had soo many viruses, and was really slow, also i found a half new desktop out withthis computer also, it was desgined 4 XP, why would they throw that out?


----------



## gmcsierra99 (Dec 7, 2005)

i dont think anybody answered this question, but why does the Folder "Comon" open at startup?


----------



## gmcsierra99 (Dec 7, 2005)

none of the anti-viruses scanners that i have found any kind of virus etc., and this computer is still in between slow and fast, little slo kinda fast, i guess this is the fast it can be .

i also tried 2 put another stick of 128 in here (toal=384MB), but i got a Memory Error at the compaq screeen, soo i took the other piece of RAM out.


----------



## gmcsierra99 (Dec 7, 2005)

also, flavallee, could my Startup list be anymmore trimmed? or is that it?


----------



## Flrman1 (Jul 26, 2002)

I think that what everyone is trying to tell you is that they are finished beating this dead horse. You are wasting their time and yours trying to get this "garbage" computer running with the current OS installation.. Reformat it and install an OS on it!


----------



## flavallee (May 12, 2002)

If it's not any different than your last HijackThis log that you posted way back in #90, there's no other entries to disable.

It's 11:30 P.M. here and time for bed.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

well i have no idea what the entries are soo.


----------



## gmcsierra99 (Dec 7, 2005)

well here's a HJT log, let me know if there's anymore crap 2 diable, if there's not im done with this thread , just like you and cheeseball lol, i seen AOL in there, i dont need AOL, but i do need AIM:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:32 AM, on 4/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1144644155\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/port...NDEzMDUzODM2JTI2&.ys=XINQunGO53vNKzt0f1HPNw--
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 8\SNAGITBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 8\SNAGITIEADDIN.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1144644155\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/ClientPlugIn/tsTemp.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTWCLIENTS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build922/install.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.motorola.com/idenupdate/nextel/iUpdateAutoLaunch.ocx


----------



## gmcsierra99 (Dec 7, 2005)

i get a folder called Common that opens at Startup, and i see stuff about Common Files, could this be related? or..


----------



## Rache (Sep 30, 2002)

He's having a laugh.....


----------



## flavallee (May 12, 2002)

Open the *C:\Program Files* folder, then delete the *Viewpoint* folder.

Open the *C:\Program Files\Common Files* folder, then delete the *AOL* folder.

This is my LAST reply to this thread. Flrman1 has given you some good advice.

-------------------------------------------------------------------------------------


----------



## gmcsierra99 (Dec 7, 2005)

ok, i deleted them thanks :up:, also i stuck another 128MB stick in here, soo it's no 384MB max, and it's 50% faster than before. i agree, this is my last post also, thanks Cheeseball, and you Flavallee, 4 helping me clean out this computer , im marking this thread solved.

Happy Easter everyone.


----------



## Cookiegal (Aug 27, 2003)

Closing thread as well.


----------

