# Solved: Missing System.ini file upon boot-up - Win98 - Help?



## Jules1977 (Nov 12, 2004)

Hello... been here before with help for my XP system and a corrupt system file. (Hive.) Also had some nasty malware sneak its way in and had to run Hijack This. Found this forum incredibly helpful!! 

Have an old Gateway Solo 9150 running 98 that my husband uses that used to be mine... He just booted it up and hasn't been able to get past the error message of a missing "system.ini" file. Error message says to run Windows Setup to re-install. Is it that simple?

I used to know what I was doing years ago, programming with my father, so when I corrupted my hive (?) registry, I tried to edit it myself.  Called my father even, who chitchatted me thru it, and turns out we both edited the wrong one.  I have no desire to mess around with this one this time. 

Once I get my hands on my old 98 disk (might take a while) where do I go from there in terms of restoring this "system.ini" file?

Advice appreciated. I assume it should be relatively simple, but not straightforward... Thanks in advance. 

Julia


----------



## JSntgRvr (Jul 1, 2003)

Boot the computer with a startup diskette and bring the computer to a command prompt. You can download a boot disk at www.bootdisk.com, and should be compatible with the Operating System in the Computer.

At the prompt type the following and press Enter after each line:

C:
cd\
dir System.ini /s
dir Precopy*.* /s

Post back with the results on screen.


----------



## JSntgRvr (Jul 1, 2003)

Here is another option:

Bring the Computer to acommand prompt. At the prompt type the following and press Enter after each line:

C:
cd\Windows\Command
Scanreg /Restore

select the earliest date listed and press enter. If unsuccessful, try another date. Once you have restore a good registry, remove the startup diskette and restart the computer.


----------



## Jules1977 (Nov 12, 2004)

Sorry... I've located my recovery disk and my Win98 operating disk. Just found out that my husband never told me that the CD drive stopped working at some point.  Have to remember how to boot up from an external... (the burner I have for it) Will post back my results when I get that going.

Can I do any of your suggestions from safe mode? I was able to start up in safe mode... I just can't navigate around in the BIOS well enough.  

When I do your second option, of scanreg /restore, that will restore both the system.ini and the win.ini (I read elsewhere) to an earlier (better) date without having to reinstall all of Win98? Sounds great.

Thanks so much for the help.

Julia


----------



## JSntgRvr (Jul 1, 2003)

You do not need neither the Recovery CD, nor the Windows 98 Installation CD at this point. Tap on F8 during Startup to enter the startup menu. At the Menu select Command Prompt. At the Prompt perform the suggested process in POST #2. Just give us the report on Screen after done.


----------



## Jules1977 (Nov 12, 2004)

F8? F8 does nothing, unfortunately. Is there another way to access the "startup" menu?

This sounds like a bad thing.


----------



## JSntgRvr (Jul 1, 2003)

Turn OFF the computer. From a powered OFF state, turn ON the computer and inmediately press and hold down the Ctrl key until you reach the Startup Menu. Ignore any error message or sound comming up fom the computer.


----------



## JSntgRvr (Jul 1, 2003)

Another option would be in Safe Mode:

Go to Start->Run, type Msconfig, click Ok. Click on Advanced. Check the box labeled "Enable Statup Menu". Click Apply, then Ok Restart the computer when prompted.

While in the Configuration Utility, select the System.ini tab. See if the file has been renamed.


----------



## Jules1977 (Nov 12, 2004)

Hey, thanks for bearing with me, *JSntgRvr*. Hope you're still around. 

Went in via DOS and did _exactly _ as you said... ran Scanreg/Restore... and tried each registry that was there, and all failed.

Booted up in Safe mode and did Start->Run, type Msconfig, Ok, Advanced, "Enable Statup Menu", Apply,and Ok to Restart the computer when prompted.

And while I was in the Configuration Utility as you suggested, I looked at the System.ini tab to see if the file has been renamed. There was absolutely nothing in there. Win.ini, yes. System.ini, no. I looked in the tab on this machine I'm on right now for comparison's sake to see what should be there, and it's obvious to me that the file is gone... so there's nothing to copy or rename.

So. That leaves me where, do you think?

I appreciate your thoughts tremendously!

J


----------



## rugrat (Dec 17, 2001)

Take a look here,
http://www.computerhope.com/issues/ch000211.htm

Let us know if it helps. If not and you now have your 98 cd, you can install windows without reformatting and you should be good to go.
Let us know


----------



## JSntgRvr (Jul 1, 2003)

Start the computer to the Startup Menu and select Command Prompt. At the prompt type the following and press Enter:

Dir Precopy*.* /s

Let me know the results on screen. I would like to know if this file is in your computer and where.


----------



## JSntgRvr (Jul 1, 2003)

rugrat said:


> Take a look here,
> http://www.computerhope.com/issues/ch000211.htm
> 
> Let us know if it helps. If not and you now have your 98 cd, you can install windows without reformatting and you should be good to go.
> Let us know


Hi rugrat.

I wouldn't mess with this process, as it gives room for errors and the System.dat file may become corrupted. We need this file intact for the next step if we are able to locate the precopy1-or-2.cab files.


----------



## Jules1977 (Nov 12, 2004)

Hi *JSntgRvr*. Business trips get in the way of pleasure. I'm still kicking around here. Hope you're still subscribed to my pithy little thread! 

Ran your command. Here is the result:

Volume in C drive has no label.
Volume serial number is ####-####.

Directory of C:\WINDOWS\OPTIONS\CABS

PRECOPY1 CAB 1,243,136 11-24-98 8:02a
PRECOPY2 CAB 1,292,173 11-24-98 8:02a

2 file(s) 2,535,309 bytes

Total files listed:
2 file(s) 2,535,309 bytes
0 dir(s) 688.79 MB free

What do you think?

Julia


----------



## JSntgRvr (Jul 1, 2003)

Disconnect all peripherals from the computer. Only the Monitor, mouse and Keyboard should be connected to the computer. Start the computer and tap on F8 to enter the Startup menu. At the menu select Safe Mode Command prompt Only.

First we will need to obtain the ProductKey, unless you have it handy. To do this, at the prompt type the following and press Enter:

Find /I "ProductKey" C:\Windows\System.dat

The ProductKey is a 25 alphanumeric digits number separated in groups of 5 by hyphens. It is important you have this number before you continue.

Once you have the ProductKey, at the prompt type the following and press Enter after each line:

cd\windows\options\cabs
SETUP

Follow instructions on screen for installation. Have the ProductKey handy, as windows will not install without it.

Best wishes!


----------



## Jules1977 (Nov 12, 2004)

Great... I do actually have the product key. Will do this tonight. (And it's a laptop, so no peripherals...)

Hope this works!!! 

Thanks...

Julia


----------



## Jules1977 (Nov 12, 2004)

Changed directory successfully to windows\options\cabs but running setup says "Bad command or file name."

(Also found "product key" and it confirms what I have on my old manual...)

Ideas?

J


----------



## JSntgRvr (Jul 1, 2003)

Oh boy! At the C:\Windows\Options\Cabs prompt type:

Dir setup.exe

Press Enter. Does the file show?

Then type the following:

Dir *.cab

Press Enter. Are a bunch of files listed?


----------



## Jules1977 (Nov 12, 2004)

After Dir setup.exe ---- File not found

After Dir *.cab ---- Yes, a bunch of files

Is this a mess? LOL


----------



## JSntgRvr (Jul 1, 2003)

These files do not dissapear just like that. The only reason I can think of, is due to bad sectors and clusters in the hard drive.

Since the setup.exe is missing, you wont be able to reinstall from the cabs. You will need a Windows 98 installation CD.

BTW, is it Windows 98 Standard Edition or Windows 98 SE?

This is a longshot. I am enclosing a System.txt file. Save this text file in a floppy disk.

Start the notebook and tap on F8 during Startup to Enter the Menu. Select Command Prompt from the menu. Insert the floppy disk with the System.txt file. At the prompt type the following and press Enter after each line:

cd\windows
copy A:\System.txt
Rename System.txt System.ini

Remove the diskette and restart the computer. Let me know how it goes.


----------



## Jules1977 (Nov 12, 2004)

After A:\System.txt it said _1 file(s) copied._

After "Rename System.txt System.ini" I got _Duplicate file name or file in use._

HOWEVER. I then decided to go back and rename it _BEFORE_ copying it, just to live dangerously... and IT WORKED! Computer booted right up.  (Think I'm in any trouble? It all looks good!)

I can't thank you enough...!  Great idea for the longshot! (Boy, I feel super old using diskettes!) Hopefully everything will go ok from here on out...

Julia


----------



## JSntgRvr (Jul 1, 2003)

It was a really longshot. If it works for you, it works for me. Make sure to use the thread's tools and mark this thread as "Solved" if satisfied.

Best wishes!


----------



## Jules1977 (Nov 12, 2004)

Ha ha... the husband just happily opened up internet explorer... and got bombarded with popups and all kinds of viruses. That's what must have been at the root of it all.  So, I'm off to give him the newest AdAware, Spybot S&D and Hijack This... and we'll be attacking this next issue. 

 Hopefully the System.ini will remain in place. I will mark this Solved shortly. Thanks again!!!

Julia


----------



## JSntgRvr (Jul 1, 2003)

http://forums.techguy.org/t110854.html

Use the above link and perform at least two online virusscans. Download and run the following programs:

CoolWeb Shredder
Spybot
Adaware

Afterward Run Hijackthis. Save the log. Copy and Paste its contents in a reply. Let me take a look at the running processes.


----------



## Jules1977 (Nov 12, 2004)

You sure? I didn't want to completely monopolize all your time... I was going to consider it a separate issue. 

I've done this whole thing before. I'm familiar with it. Adaware is running right now. Will run Spybot later tonight and Hijack This probably tomorrow and post for ya then. 

(I haven't used CoolWeb Shredder before... will get it tomorrow.)

Thanks!!!

Julia


----------



## JSntgRvr (Jul 1, 2003)

This place never closes. I will pickup your message tomorow!


----------



## rugrat (Dec 17, 2001)

Just been watching this one, Congratulations!!!! JSntgRvr comes through again!


----------



## Jules1977 (Nov 12, 2004)

Thanks Rugrat! I'm thrilled. 

Of course, I had to work on this bugger all night. It's driving me up the wall. Ran the newest AdAware with updates, and Spybot with updates, and HijackThis all updated. Oh and CWSweeper too. And it hasn't managed to catch whatever it is.  It's still popping up at me.

Here's the DISASTER of my HJT log. Sorry...  It's an old beater that never gets any love, what can I say. I cleaned it up as best I possibly could before running it... Anything stick out at you as far as processes? Should I post the log elsewhere for the spywhere garbage? Thanks JSntgRvr!!!!

Logfile of HijackThis v1.99.1
Scan saved at 11:44:22 PM, on 3/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT
OFFICE\OFFICE2000\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet
Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT
5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) -
{53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry]
c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32
cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program
Files\Network Associates\McAfee VirusScan\avconsol.exe
/minimize
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM
FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM
FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network
Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B]
C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor]
C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program
Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader]
C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program
Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task]
"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe
c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [sp] rundll32
C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile]
Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM
FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SSDPSRV]
c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM
FILES\NOADS\NOADS.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office2000\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program
Files\Palm\hotsync.exe
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ComcastHSI -
{716F90A0-9F08-11D6-BC29-0030F108927B} -
http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help -
{716F90A1-9F08-11D6-BC29-0030F108927B} -
http://www.comcast.net/memberservices/ (file missing)
(HKCU)
O9 - Extra button: Support -
{716F90A2-9F08-11D6-BC29-0030F108927B} -
http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .cgi: C:\Program
Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop:
C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1}
(GWNet.ctlGWNet) - file://C:\Program
Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339}
(WonGameStart Class) -
http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A}
(Shutterfly Picture Upload Plugin) -
http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33}
(ZingBatchAXDwnl Class) -
http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
(PCPitstop Utility) -
http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## JSntgRvr (Jul 1, 2003)

Doiwnload StartDreck here:

http://www.niksoft.at/php/dl.php?f=startdreck.zip

Unzip and run StartDrek.exe:

Click config 
Click Unmark all 
Check these boxes only: 
*Registry->run keys 
*Registry->Browser helper objects 
*System/drivers> Running processes 
Click OK.

Use the "save" tab, to save, name and post the log in your next reply here.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This is for my records, as a reminder:

Obvious=se.dll/sp.html
sphjfix


----------



## Jules1977 (Nov 12, 2004)

How's this work for you?


StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 11:15:38 (GMT -05:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2800.1106
Logged in as at POKEY

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SoundFusion=RunDll32 cwcprops.cpl,CrystalControlWnd
*AtiCwd32=Ati2cwad.exe
*AtiQiPcl=AtiQiPcl.exe
*AvconsoleEXE=C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
*McAfeeWebScanX=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
*Vshwin32EXE=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*VsStatEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
*Ati2cwxx=Ati2cwxx.exe
*PP3100B=C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*Drag'n'Drop_Autolaunch="C:\Program Files\Iomega HotBurn\Autolaunch.exe"
*TPP Auto Loader=C:\WINDOWS\TPPALDR.EXE
*LoadQM=loadqm.exe
*ZingSpooler=C:\Program Files\Common Files\Zing\ZingSpooler.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*ICSDCLT=c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
*ATIPOLAB=ati2plab.exe
*AtiPTA=Atiptaab.exe
*IrMon=IrMon.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Vshwin32EXE=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*SSDPSRV=c:\windows\SYSTEM\ssdpsrv.exe
»RunServicesOnce
**hxp=rundll32 C:\WINDOWS\IPCONFQG.DAT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
»Files
»System/Drivers
»Running Processes
+FFEFB383=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE73E7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE7BDF=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE4D2F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEA337=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
+FFFE8CB7=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFD2F27=C:\WINDOWS\RUNDLL32.EXE
+FFFD124F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDDDDB=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
+FFFD81A3=C:\WINDOWS\EXPLORER.EXE
+FFFCC953=C:\WINDOWS\TASKMON.EXE
+FFFCDEAB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCC617=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
+FFFB5C27=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
+FFFBC2BF=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFCC73F=C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
+FFFB7907=C:\WINDOWS\TPPALDR.EXE
+FFFBCC9F=C:\WINDOWS\LOADQM.EXE
+FFFA436F=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFBA34B=C:\WINDOWS\RUNDLL32.EXE
+FFFBE24B=C:\WINDOWS\SYSTEM\IRMON.EXE
+FFFC8E8B=C:\WINDOWS\RUNDLL32.EXE
+FFFB1997=C:\WINDOWS\RunDLL.exe
+FFFCCC63=C:\PROGRAM FILES\NOADS\NOADS.EXE
+FFFA6AFB=C:\PROGRAM FILES\PALM\HOTSYNC.EXE
+FFF9FF5B=C:\WINDOWS\TPPSTRAY.EXE
+FFFAC8D3=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF9EFAB=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE2000\OFFICE\1033\MSOFFICE.EXE
+FFF7D207=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF756D3=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF60463=C:\MY DOCUMENTS\STARTDREK\STARTDRECK.EXE
»Application specific


----------



## JSntgRvr (Jul 1, 2003)

Run Hjackthis. Check the following lines and then click on Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O9 - Extra button: ComcastHSI - {716F90A0-9F08-11D6-BC29-0030F108927B} - http://www.comcast.net (file missing) (HKCU)

Restart the computer in Safe Mode by tapping F8 during Startup. Once in Safe mode, search for the following strings one by one and delete all files and folders found:

*.tmp
C:\Temp\*.*
C:\Windows\Temp\*.*

Restart the computer. Run Hijackthis once more time and post the new log in a reply.


----------



## Jules1977 (Nov 12, 2004)

This is so tiring!!! 

OK... I've run HT and "Fix Checked." I deleted loads of temp files and things from the temp folders and the windows temp folders (which was quite frightening honestly 2,400 or so files. They're still in the bin at the moment... too chicken to fully toss.)

Upon reboot, I get an error "Error loading C:\Windows\Temp\Se.dll The system cannot find the file specified."

I haven't hit OK as I don't know what that file does... will proceed with caution!  Thanks!


----------



## JSntgRvr (Jul 1, 2003)

This is part of the About:blank Trojan. Did you checked and fix the following line in HJT?

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Post a copy of the latest HJT log.

I am going to have someone take a look at it. Empty your Recycle Bin.


----------



## cybertech (Apr 16, 2002)

Reboot to safe mode   click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now do a search for se.dll and delete all that come up in the search.

Go to C:\WINDOWS\TEMP\ and empty the entire folder!

Go to Internet Options, Programs
Click the *"Reset Web Settings" * Button to reset your home and search pages.

If the page does not go to what you want reset it to the page you desire and press the Apply button.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

Reboot and post another HJT log.


----------



## JSntgRvr (Jul 1, 2003)

Thanks, Cyber.


----------



## cybertech (Apr 16, 2002)

:up: NP


----------



## Jules1977 (Nov 12, 2004)

JSntgRvr said:


> This is part of the About:blank Trojan. Did you checked and fix the following line in HJT?
> 
> O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall


Yup.


----------



## Jules1977 (Nov 12, 2004)

cybertech said:


> Reboot to safe mode   click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"
> 
> Now do a search for se.dll and delete all that come up in the search.
> 
> ...


Have just done all of this and will post a new HJT log shortly. Thanks for all the help...


----------



## Jules1977 (Nov 12, 2004)

OK! It's looking good! No longer getting the error message. Things APPEAR to be clean on the surface... 

If you see anything useless (not just trojan or spyware) that I should toss, feel free to tell me to ditch it. Like I said, it's an old beater that has too much crap on it... takes forever to boot up nowadays.

Regardless, thanks for all of this. Let me know what you see, if anything's left...  (When I searched for se.dll, I couldn't find it... )

Logfile of HijackThis v1.99.1
Scan saved at 6:13:09 PM, on 3/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE2000\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office2000\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Help - {716F90A1-9F08-11D6-BC29-0030F108927B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {716F90A2-9F08-11D6-BC29-0030F108927B} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## Jules1977 (Nov 12, 2004)

I lied... as soon as I hit post on that machine, IE crashed with illegal op messages, and "do you want to restart IE, which is what it was doing before with the bug.  So something's still kicking around. Hopefully you can see what it is...

Thanks again!

J


----------



## cybertech (Apr 16, 2002)

No I don't see anything, but you should post a log again as the problem may be evident since you have been out on the web.

Out of curiosity how many se.dll files did you find?
Have you searched for them again?


----------



## Jules1977 (Nov 12, 2004)

That's the most absolute recent log possible. Oh, you mean, to post another log again, since coming back here to post the log. OK... I will do that. (I'm posting from another machine.)

And I found ZERO se.dll files... none!  Is that crazy? I'll search for them again.


----------



## cybertech (Apr 16, 2002)

If that is the log *after* getting the device back on the web no need to post another log.

Let me mull it over for a bit...


----------



## Jules1977 (Nov 12, 2004)

No, it's not the log AFTER getting back on the web. I'm going to go run it now and repost.


----------



## Jules1977 (Nov 12, 2004)

Most recent... after having been on the web. Did a search for se.dll as well, and came up with nothing. 

Logfile of HijackThis v1.99.1
Scan saved at 7:36:33 PM, on 3/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE2000\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office2000\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Help - {716F90A1-9F08-11D6-BC29-0030F108927B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {716F90A2-9F08-11D6-BC29-0030F108927B} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## cybertech (Apr 16, 2002)

Don't go to safe mode just do this in normal mode.

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Administrator *(Repeat for all user names)*\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.

I don't know if you have done this but it's important to know what is in each of those temp folders.


----------



## Jules1977 (Nov 12, 2004)

It's a Windows 98 machine, so I'm dealing with slightly different things... the "hide protected operating system files" doesn't exist. You worded it differently above, and I followed your advice before though.  

Only have it setup for one user, so that's good. Temp file was relatively empty this time (even tho I keep emptying it!!!) but when I went to empty it AGAIN, there was a file it won't let me delete. "Webpoolfilefile." That's a new one on me. Think it's anything of consequence?

I've done the Temp Internet Files over and over....  Any more ideas?


----------



## JSntgRvr (Jul 1, 2003)

The file you are referring to is created by McAfee VirusScan. Lets test this theory. Open Windows Explorer and navigate to the C:\Windows\Temp folder. The Webpoolfile file will be present.

Now, right click your McAfee icon in the System Tray (Lower right corner of the monitor) and Exit (Stop) McAfee. Does the file in the C:\Windows\Temp dissapears?

You may need to repair the Internet Explorer. Can you post the exact error message you are receving? Click on the Details of the error message, if any. Copy and paste its contents in a reply.

Also, Jules, since many files were deleted during this process, perform some maintenance such as, Scandisk and Disk Defragmentation as to optimize the hard drive.


----------



## Jules1977 (Nov 12, 2004)

Hey JSntgRvr!

That WebPoolFile has stuck around in that temp file in spite of my having stopped MacAfee. Very strange! But, I haven't gotten any error messages from IE and have been clicking around for a few minutes this morning. Will post them if I get them again.

Have run scan disk and will defrag tonight.

I ran another HJT log just in case... a *ZingTemp * folder keeps appearing in that Windows\Temp folder and I wasn't sure what it was. Seemed fishy to me... is it safe???

Logfile of HijackThis v1.99.1
Scan saved at 9:19:41 AM, on 3/7/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE2000\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office2000\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Help - {716F90A1-9F08-11D6-BC29-0030F108927B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {716F90A2-9F08-11D6-BC29-0030F108927B} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## cybertech (Apr 16, 2002)

Looks like this C:\Program Files\Common Files\Zing\ZingSpooler.exe may be creating that folder.


----------



## Jules1977 (Nov 12, 2004)

I haven't a clue what "Zing" is... it's not anything I've installed, so it sounds rather fishy to me. If it's not something system related, I have no problem nix'ing it.


----------



## cybertech (Apr 16, 2002)

go to add/remove programs and see if there is a removal.


----------



## Jules1977 (Nov 12, 2004)

No - no removal under add/remove programs.


----------



## JSntgRvr (Jul 1, 2003)

ZingSpoole was used for a drag and drop program to upload pictures to www.zing.com but Zing has gone out of business. Now used for Sony ImageStation's upload photos to online albums. If you have no use for this, follow these steps:

Run Hijackthis. Put check mark on the following lines and then clickon Fix Checked: (I have included lines for unessential programs.)

O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottim
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office2000\Office\OSA9.EXE
O9 - Extra button: Help - {716F90A1-9F08-11D6-BC29-0030F108927B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {716F90A2-9F08-11D6-BC29-0030F108927B} - http://www.comcastsupport.com (file missing) (HKCU)

Start the computer in MSDOS. At the prompt type the following and press Enter:

Deltree C:\Windows\Temp\*.*

Restart the computer and tap on F8 to reach the Startup menu. Select Safe Mode. Using Windows Explorer, navigate to the C:\Program Files\Common Files folder. Right click on the Zing folder and delete. Empty the Recycle Bin and restart the computer.

Check your C:\Windows\Temp folder. It should be emptied, although its is recorded that the WebPoolFile is created by McAfee.


----------



## Jules1977 (Nov 12, 2004)

Temp file is empty. Zing is gone. But IE error message reads as follows.

1st message:

Microsoft Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost.
** Check box -- Restart Microsoft Internet Explorer

When I uncheck it, because it's already crashed and I don't want it starting back up, about 20 seconds later the 2nd message  is:

Iexlpore
This program has performed an illegal operation and will be shut down. (EVEN THOUGH IT ISN'T RUNNING.) If problem persists...

The the following:

IEXPLORE caused an exception c0000006H in module
WBHOOK32.DLL at 015f:0192882a.
Registers:
EAX=024d2eb0 CS=015f EIP=0192882a EFLGS=00010202
EBX=00000000 SS=0167 ESP=01c6f350 EBP=61b80000
ECX=01c6f364 DS=0167 ESI=00000100 FS=49df
EDX=01c6f585 ES=0167 EDI=bff776fb GS=0000
Bytes at CS:EIP:
8b 45 3c 51 55 8b b4 28 80 00 00 00 03 f5 ff 15 
Stack dump:
00000104 bff776fb 00000100 01c6fe38 00000000 575c3a43
4f444e49 535c5357 45545359 48535c4d 334c4c45 4c442e32
4100004c 5c534554 4641434d 56204545

This just gets better and better!!!! I can't thank you all enough...

Julia


----------



## JSntgRvr (Jul 1, 2003)

This error is associated with McAfee VirusScan. Which version of McAfee is installed?


----------



## Jules1977 (Nov 12, 2004)

It's ancient... and hasn't been updated in years, I'm embarrassed to say. It says it's VirusScan 4.0.1.


----------



## cybertech (Apr 16, 2002)

That is not doing you any good! I would remove that and if you don't want to pay for AV get one of the free ones. Check out this link for several suggestions.

Security Help Tools


----------



## Jules1977 (Nov 12, 2004)

Well, I had no idea it was conflicting with IE!  I have live updates for my other two... I just neglected this Win 98 old fella.

I'll uninstall it tonight. Think it will help with the IE issue? Or do I need to do an IE repair?


----------



## cybertech (Apr 16, 2002)

What it does is try to get updates and when it fails it keeps trying, thus using a ton of your resources.


----------



## Jules1977 (Nov 12, 2004)

McAfee is uninstalled. Harddrive is defragged. Internet Explorer appears to be working fine, without crashing, but spyware popups are continuing to pop up... (as in, on sites that don't have pop ups.) So something is still living in my system.

Can I trouble you all for yet another look at my HJT log? Or am I at a dead end? I'm going to run AdAware and Spybot _again_ and come back and repost my log...


----------



## cybertech (Apr 16, 2002)

Yes, clean up with adaware and spybot and post a log. Give all details about any error messages you get.


----------



## JSntgRvr (Jul 1, 2003)

http://www.thespykiller.co.uk/downloads.htm

Also download and run the CWShredder and the Lop uninstaller from the above link, then after a restart, post the HJT Log.


----------



## Jules1977 (Nov 12, 2004)

You're not going to believe this. I've run AdAware, Spybot and CWShredder. All up to date as possible. I just ran HJT and was going online to post the log from that computer, and the popup blocker I've had installed on there forever blocked me from opening IE... my husband leaned over and disabled the blocker and said "IE won't open every once in a while."  

I watched it try to block "About:Blank." So apparently, About:Blank is apparently BACK.

I'm going to go back and delete all the temp files everywhere. I'll re-read all the posts from before... have no fear I won't expect the two of you to re-tell me everything. But this is getting ridiculous. 

I'll be back with a NEW NEW log... because there's obviously something still lingering. (I'll run the LOP uninstaller as well, thanks.)


----------



## Jules1977 (Nov 12, 2004)

Well....... bad news.

As I mentioned, I ran AdAware, SpyBot, CWShredder, LOP Uninstaller... I deleted all the temp files everywhere. I cleaned out everything. I ran everything twice over and caught more. (That Cool WWW Leftovers kept popping up in AdAware... gave me an error msg about not being able to delete se.dll - it would do it upon reboot. It appeared to be gone on a second runthru. I also did not come upon it thru search.) Reset web settings until Internet Settings/Programs. Did everything as previously instructed.

Ran an HJT log, saved it to My Shared Docs while disconnected from my network... rebooted while reconnected to my network to grab the saved TXT file from my good laptop and post it from here, but for some reason, it's freezing on an hourglass at the login box.  (And I can't connect to that file now.)

Everything that can go wrong will?  Sorry. I must be driving you crazy. Ideas? I'll try booting up into Safe Mode tomorrow night on my own and see what I can find...


----------



## cybertech (Apr 16, 2002)

Download StartDreck from: http://www.niksoft.at/_data/startdreck.zip

Unzip the startdreck.zip file first. Doubleclick: 'StartDreck.exe'

First click on the config button. 
Now click the Unmark all button

Put a check by these boxes only: 
*Registry->run keys 
*Registry->Browser helper objects 
*System/drivers> Running processes 
hit >OK.

Now click the Save button to save that log.

Copy and paste the contents of that log back here please.


----------



## Jules1977 (Nov 12, 2004)

StartDreck (build 2.1.7 public stable) - 2005-03-10 @ 11:17:31 (GMT -05:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2800.1106
Logged in as

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SoundFusion=RunDll32 cwcprops.cpl,CrystalControlWnd
*AtiCwd32=Ati2cwad.exe
*AtiQiPcl=AtiQiPcl.exe
*Ati2cwxx=Ati2cwxx.exe
*PP3100B=C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*Drag'n'Drop_Autolaunch="C:\Program Files\Iomega HotBurn\Autolaunch.exe"
*TPP Auto Loader=C:\WINDOWS\TPPALDR.EXE
*LoadQM=loadqm.exe
*ICSDCLT=c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
*ATIPOLAB=ati2plab.exe
*AtiPTA=Atiptaab.exe
*IrMon=IrMon.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
**fe=rundll32 C:\WINDOWS\IPCONFQG.DAT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{364738C2-90C3-11D9-BC29-00097174C373}
`InprocServer32=C:\WINDOWS\SYSTEM\OEOKB.DLL
»Files
»System/Drivers
»Running Processes
+FFEF52EF=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE928B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE9F1B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE1BCF=C:\WINDOWS\RUNDLL32.EXE
+FFFE168B=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE48BF=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDCC13=C:\WINDOWS\EXPLORER.EXE
+FFFCB803=C:\WINDOWS\TASKMON.EXE
+FFFCC23B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC339F=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFC32BB=C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
+FFFCAD83=C:\WINDOWS\TPPALDR.EXE
+FFFBACD7=C:\WINDOWS\LOADQM.EXE
+FFFBC127=C:\WINDOWS\RUNDLL32.EXE
+FFFC138F=C:\WINDOWS\SYSTEM\IRMON.EXE
+FFFBA14B=C:\WINDOWS\RunDLL.exe
+FFFC4517=C:\PROGRAM FILES\NOADS\NOADS.EXE
+FFFBE92B=C:\PROGRAM FILES\PALM\HOTSYNC.EXE
+FFFE5293=C:\WINDOWS\TPPSTRAY.EXE
+FFFA1B7B=C:\WINDOWS\RUNDLL32.EXE
+FFFB77C7=C:\PROGRAM FILES\STARTDREK\STARTDRECK.EXE
»Application specific


----------



## Jules1977 (Nov 12, 2004)

*Still getting spyware popups...  Here's the most recent HJT log after running EVERYthing.* (AdAware keeps snagging that CoolWeb... and the se.dll. But it keeps coming back.)

Logfile of HijackThis v1.99.1
Scan saved at 11:21:15 AM, on 3/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {364738C2-90C3-11D9-BC29-00097174C373} - C:\WINDOWS\SYSTEM\OEOKB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O18 - Filter: text/html - {A87F4123-9155-11D9-BC29-000922BA7713} - C:\WINDOWS\SYSTEM\OEOKB.DLL
O18 - Filter: text/plain - {A87F4123-9155-11D9-BC29-000922BA7713} - C:\WINDOWS\SYSTEM\OEOKB.DLL


----------



## JSntgRvr (Jul 1, 2003)

I am attaching a fix.zip file to this post. It contains a fix.bat file and a fix.reg file.

Run HJT. Check the following lines and click on Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {A87F4123-9155-11D9-BC29-000922BA7713} - C:\WINDOWS\SYSTEM\OEOKB.DLL
O18 - Filter: text/plain - {A87F4123-9155-11D9-BC29-000922BA7713} - C:\WINDOWS\SYSTEM\OEOKB.DLL

Upload the attachment. Unzip the folder and save the files included therein in the root directory (C:\Folder).

Restart the computer in MSDOS. At the command prompt C:\, type the following and press Enter.

Fix.bat

Answer yes to any dialog message.

Restart the computer. Run HJT and post a new log


----------



## Jules1977 (Nov 12, 2004)

*Extracted the fix.bat and fix.reg into the C: directory and when in DOS at C: prompt, gave command of Fix.bat, a bunch of command ran by finished with "Bad command or file name." Was never given any dialog messages.  Did I do something wrong?

So I went back in and ran another HJT log for now...

Edit... I may have done something stupid. I'll be right back. I think I posted the wrong log... will have to get the newest log. Sorry!*


----------



## Jules1977 (Nov 12, 2004)

Nope, I didn't do anything stupid. I just posted a log, after deleting everything you told me to, that still had everything in it that I previously "fixed." I don't get it. 

I'm doing it again... and I'll re-post THAT log.

FWIW, I'm getting error messages: Error loading C:\Windows\IPCONFQG.dat The system cannot find the file specified. And likewise for the se.dll.


----------



## Jules1977 (Nov 12, 2004)

*This one looks better. I ran AdAware, Spybot, and CWShredder AGAIN...*

Logfile of HijackThis v1.99.1
Scan saved at 4:24:50 PM, on 3/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {364738C2-90C3-11D9-BC29-00097174C373} - C:\WINDOWS\SYSTEM\OEOKB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## JSntgRvr (Jul 1, 2003)

Navigate to the C:\ folder and locate the Fix.reg file. Click on it and when your receive the message if you want to merge this file, select Yes.


----------



## JSntgRvr (Jul 1, 2003)

The trojan is no longer in your log

Have Hjt Fix this.

O2 - BHO: (no name) - {364738C2-90C3-11D9-BC29-00097174C373} - C:\WINDOWS\SYSTEM\OEOKB.DLL (file missing)


----------



## Jules1977 (Nov 12, 2004)

OK, I've done both.


----------



## JSntgRvr (Jul 1, 2003)

Please restart the computer and post a new log. I'll like to make sure the Trojan is gone and that no errors are received during Startup...


----------



## Jules1977 (Nov 12, 2004)

All right!!!!! I'm posting from it! Start up seemed fine. No error messages. Things seem fine, but they seemed fine before too. 

Here you go...

Logfile of HijackThis v1.99.1
Scan saved at 4:59:59 PM, on 3/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## JSntgRvr (Jul 1, 2003)

Yep. The Trojan is gone. Give it a try and give me some feedback about preformance. Any popup Ads?


----------



## Jules1977 (Nov 12, 2004)

Well, just wanted to give you an update. Wanted to give it some time with the husband spending some time surfing his usual haunts. Things seem to going well. :up: Had an issue with some CoolWeb caught by Spybot but it hasn't shown up since... all appears to be clear. No pop ups.

Ran AdAware and Spybot just now and a HJT log if you'd like to take one last look and I'll happily mark this as "solved"  if all looks clear!!! System seems to be working well, if a bit slow - the old girl keeps chugging along.

I'll get some free virus scan on her for protection next.

Logfile of HijackThis v1.99.1
Scan saved at 10:05:48 AM, on 3/16/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXEa
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\RunServices: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\RunServices: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\RunServices: [AtiCwd32] Ati2cwad.exe
O4 - HKLM\..\RunServices: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\RunServices: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\RunServices: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\RunServices: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\RunServices: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\RunServices: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\RunServices: [IrMon] IrMon.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .cgi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2F0347EC-951D-11D2-846C-00A0C955B0C1} (GWNet.ctlGWNet) - file://C:\Program Files\gateway\GATEWAY.NET\HTML\GWNet.CAB
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.com/tools/WonGameStartControl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB


----------



## JSntgRvr (Jul 1, 2003)

Seems clear from here. The slowdown could be due to the many programs running in the background. Seems that there are many peripherals connected to the computer(Iomega device, CD_RW, DVD and sound device, as well as an Internet Sharing connection. Everything else looks fine.


----------



## Jules1977 (Nov 12, 2004)

Great! Yippee!

The Iomege device/CD_RW are one and the same. DVD is the built-in(broken  ) disc drive. And I have my wireless home network.  Not much else! I really tried to wipe it clean with all of this mess...

Thanks SO much for all of your help!

Can I ask you a question that is semi-related? What's your opinion of Firefox/Mozilla? Just something I was thinking about in terms of trying to stay Spyware-free for this particular machine.


----------



## JSntgRvr (Jul 1, 2003)

> Can I ask you a question that is semi-related? What's your opinion of Firefox/Mozilla? Just something I was thinking about in terms of trying to stay Spyware-free for this particular machine


I do not use it but it has good reviews. Soon, Microsoft will be launching IE 7.0 as a response to Firefox security features. Go figure!

Use the thread' Tools and mark this thread as "Solved".

Best wishes!


----------



## Jules1977 (Nov 12, 2004)

Will do! Thanks again!!!!


----------

