# services.exe, win.ini



## shayquann (Sep 14, 2005)

Windows 98 OS, Verizon DSL. 
I removed a virus from my computer by running Ad-aware SE and smitrem.exe. All traces of it are now gone, but now whenever I have to reboot I get the following message:

*SERVICES.EXE*
Cannot find the file 'SERVICES.EXE' [or one of it's components]. Make sure the path and filename are correct and that all required libraries are available.

*I click ok and then this message pops up*.

*Desktop*
Could not load or run 'SERVICES.EXE' specified in the WIN.INI file. Make sure the file exists on your computer or remove the reference to it in the WIN.INI file .

*I click ok and I can use the computer, but only for a short while then:*

When I go online I am only able to view websites briefly. First certain pictures or images wont load, then nothing will load. I get a 'CANNOT FIND SERVER' message (it mentions matching browser settings to LAN settings) whenever I click on any link. My Outlook cannot send or recieve e-mails either. I don't get disconnected from the internet, but nothing will load unless I shut down and restart my computer.

I was wondering if this a problem with the ISP or my computer.
Should I run and post a HiJack This log?

-Thanks


----------



## blues_harp28 (Jan 9, 2005)

Hi Services.exe is a legitimate part of win98 OS..
But can be linked to a Trojan..
http://www.neuber.com/taskmanager/process/services.exe.html
Post a Hjt log..let log experts take a look...link below..


----------



## flavallee (May 12, 2002)

Definitely post a HijackThis log.

------------------------------------------------------------------------------------

Viruses will sometimes use legitimate file names, but will place them in a location other than where they would normally be.

You didn't say if there's a full-time antivirus program installed and running in that computer.

------------------------------------------------------------------------------------


----------



## shayquann (Sep 14, 2005)

*My hijack this log:*
Logfile of HijackThis v1.99.1
Scan saved at 11:14:09 PM, on 2/25/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\DETECTOR\CTDETECT.EXE
C:\WINDOWS\SYSTEM\SYSVCS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region,west&bw,dsl&cd,4.0&bm,ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region,west&bw,dsl&cd,4.0&bm,ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {445B6209-A8E2-F16C-C1AA-F58AD9A2F2C3} - C:\WINDOWS\SYSTEM\NPE.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\INET20004\SERVICES.EXE
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {90F9BB2E-2B9B-7C12-B32D-2D17233F21C0} - C:\WINDOWS\SYSTEM\DMKT.DLL (file missing)
O2 - BHO: (no name) - {445B6209-A8E2-F16C-C1AA-F58AD9A2F2C3} - C:\WINDOWS\SYSTEM\NPE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\SYSTEM\VXGOEDGB.EXE
O4 - HKLM\..\Run: [HDAudio Driver 1.0] C:\WINDOWS\SYSTEM\WOIHEUWF.EXE
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\SYSTEM\CLYRTW.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\SYSTEM\efsdfgxg.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\Run: [TikBellExe] C:\WINDOWS\SYSTEM\JQNO.EXE
O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\20061735559_MCINFO.EXE /insfin
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20004\SERVICES.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\SYSTEM\efsdfgxg.exe
O4 - HKLM\..\RunOnce: [test] 
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [SNInstall] C:\WINSTALL.EXE
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\Run: [Tfhva] C:\WINDOWS\SYSTEM\kdktp.exe
O4 - HKCU\..\Run: [Ssrc] "C:\WINDOWS\SYSTEM\aoit\iexplore.exe" -vt mt
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunOnce: [test] 
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0d\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .cgi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O21 - SSODL: DDE - {F33812FB-F35C-4674-90F6-FD757C419C51} - C:\WINDOWS\SYSTEM\birdihuy32.dll


----------



## flavallee (May 12, 2002)

I don't see a full-time antivirus program installed and running in the background. 

Go here so you can download and install *Grisoft AVG Free Edition 7.1*. After it's installed, make sure the latest definition updates have been installed, then run a full scan with it.

-------------------------------------------------------------------------------------

One of the heavy hitters is going to need to jump in and assist you because there are a lot of suspicious entries and infections in your log. :down:

-------------------------------------------------------------------------------------

There are too many unnecessary running programs, so let's get the startup list trimmed down of the more obvious ones.

Click Start - Run, type in MSCONFIG, then click OK - "Startup" tab. Remove the checkmark from:

*TaskMonitor* taskmon.exe

*LoadPowerProfile* LoadCurrentPwrScheme

*QuickTime Task* qttask.exe

*RealTray* RealPlay.exe SYSTEMBOOTHIDEPLAYER

*LoadPowerProfile* LoadCurrentPwrScheme

*SchedulingAgent* mstask.exe

*MoneyAgent* Money Express.exe"

*AIM* aim.exe

*Microsoft Works Calendar Reminders* wkcalrem.exe

*Microsoft Office* osa9.exe

*Microsoft Find Fast* findfast.exe

*Office Startup* osa.exe

Click Apply - OK afterwards, then reboot when prompted to.

-------------------------------------------------------------------------------------

Let's get the buildup of temp files cleaned out.

Click Start - Find - Files And Folders, select the hard drive ( C: ) to look in, then delete everything that appears under:

*C:\TEMP\*.** (Not all computers have a C:\TEMP folder)

*C:\WINDOWS\TEMP\*.**

If you receive a warning that some of these files can't be deleted because they're system files or will prevent a program from running, ignore the warning message. This is all junk, so get rid of it.

-------------------------------------------------------------------------------------

After you've done the above and have rebooted, post a new HijackThis log here.

-------------------------------------------------------------------------------------


----------



## Rollin' Rog (Dec 9, 2000)

Actually "services.exe" is not a legitimate part of Win98 and your Scanlog shows evidence of major infection.

Check and fix these entries in the HijackThis scanlog. Then reboot and search for and delete any of the exes for them that you find. Have "show all files" enabled in Folder Options > View when searching:

R3 - URLSearchHook: (no name) - {445B6209-A8E2-F16C-C1AA-F58AD9A2F2C3} - C:\WINDOWS\SYSTEM\NPE.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\INET20004\SERVICES.EXE

O2 - BHO: (no name) - {90F9BB2E-2B9B-7C12-B32D-2D17233F21C0} - C:\WINDOWS\SYSTEM\DMKT.DLL (file missing)
O2 - BHO: (no name) - {445B6209-A8E2-F16C-C1AA-F58AD9A2F2C3} - C:\WINDOWS\SYSTEM\NPE.DLL

O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\SYSTEM\VXGOEDGB.EXE
O4 - HKLM\..\Run: [HDAudio Driver 1.0] C:\WINDOWS\SYSTEM\WOIHEUWF.EXE
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\SYSTEM\CLYRTW.EXE

O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\SYSTEM\efsdfgxg.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\Run: [TikBellExe] C:\WINDOWS\SYSTEM\JQNO.EXE
O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\20061735559_MCINFO.EXE /insfin >>empty the TEMP folder
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20004\SERVICES.EXE >> delete the INET2004 folder

O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\SYSTEM\efsdfgxg.exe
O4 - HKLM\..\RunOnce: [test] 

O4 - HKCU\..\Run: [SNInstall] C:\WINSTALL.EXE
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\Run: [Tfhva] C:\WINDOWS\SYSTEM\kdktp.exe
O4 - HKCU\..\Run: [Ssrc] "C:\WINDOWS\SYSTEM\aoit\iexplore.exe" -vt mt >> delete the AOIT folder (do not delete Iexplore.exe in c:\Program Files\Internet Explorer)
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunOnce: [test] 

O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20...eInstaller.exe
O21 - SSODL: DDE - {F33812FB-F35C-4674-90F6-FD757C419C51} - C:\WINDOWS\SYSTEM\birdihuy32.dll

>> Don't UNcheck any of these entries in msconfig before "fixing" them in HijackThis or they will not be removed.

Do an online antivirus scan at one or more of these sites:


HouseCall
Panda
Kasperksy Online
 RAV AntiVirus Online
eTrust Antivirus Scanner

>> install an antivirus program; AVG is free:

http://free.grisoft.com/

Post a new HijackThis scanlog when you have done the above.


----------



## flavallee (May 12, 2002)

Rollin' Rog: 

Thanks for jumping in. This is more than I can handle.

------------------------------------------------------------------------------------------------------------


----------



## shayquann (Sep 14, 2005)

Thanks guys, Will do and post log.
Flavalee, you have me in a panic. Is my HJT log a case for the Techguy Hall Of Fame, or what?!
 
j/k


----------



## shayquann (Sep 14, 2005)

*Here's what I was able to do:*
Checked and fixed entries in HJT log.
Panda online virus scan.
Downloaded, installed and scanned Grisoft.

*I wasn't able to:*
Search for and delete any of the exes for them that you find (what are exes, not sure?)
Didn't uncheck anything in MSCONFIG. (wasn't sure what to uncheck)
Do I still do the things Flavallee recommended I do in their post?

HiJack This log:
Logfile of HijackThis v1.99.1
Scan saved at 5:36:38 AM, on 2/27/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\CREATIVE\MEDIASOURCE\DETECTOR\CTDETECT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region,west&bw,dsl&cd,4.0&bm,ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.net/bookmarks/bmredir.asp?region,west&bw,dsl&cd,4.0&bm,ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0d\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .cgi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab


----------



## shayquann (Sep 14, 2005)

i have report of Panda scan saved. I performed scan before running Grisoft scan. Should I post that as well?


----------



## flavallee (May 12, 2002)

shayquann:

I didn't mean to panic you. There are entries in the log that are beyond my expertise to deal with, which is why I'm glad that Rollin' Rog jumped in to assist.

I see that you haven't trimmed down the startup list yet.

----------------------------------------------------------------------------------------------------------


----------



## Rollin' Rog (Dec 9, 2000)

There are no signs of "infection" in the current log. Trimming from here is a matter of performance optimization.

You weren't even close to "Hall of Fame" status -- but be glad you have Win98 and not XP, which is a lot harder to clean. I'd probably have just booted you over to the Security forum and you would have had to run any number of specialized tools to get some stuff out.

For each item that I had you check and fix -- there is a file path with an executable program at the end.

For example:

O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\SYSTEM\*efsdfgxg.exe*

Where the "exe" is the name I have bolded.

Now it's quite likely that most of these were previously cleaned by an antivirus program -- but you can't be sure of that so you should manually search for and delete any you find.

They are not running now because the registry has been edited to remove their startups.

In your first scanlog, this one WAS running but may have since been deleted:

C:\WINDOWS\SYSTEM\SYSVCS.EXE


----------



## shayquann (Sep 14, 2005)

Thank you guys for all of your help!


----------

