# WinME System Restore Freeze



## weeGeordie (Jul 22, 2003)

A retired couple have a WinME system given to them by their daughter, (needless to say....no CD's). 

Their AOL dial connection has stopped working so they asked if I could take a look. It has a major Spyware infestation which I can't clean properly because I can't get an internet connection. Did a clean with AdAware as best I could and uninstalled the obvious villains. Still lots of bad things running. Tried reinstalling AOL 9 and now Explorer keeps giving errors and shutting down. Booted into SAFE mode and started a System Restore which froze about 1/2 way through.

Can I reboot and proceed or is there some precautionary measure I should take?

I had them leave the system alone until I get back to them.

We appreciate any help or direction.


----------



## cdl2488 (Mar 2, 2006)

system restore for ME is very unreliable as a whole anyway. If it froze halfway through chances are it didnt do anything. There isnt really any precautionary measure you can take anyway, so i'd say bite the bullet and reboot. I have ME and i've used system restore a few times, and it has crashed for me before as well, but i didnt notice any adverse effects.


----------



## Cookiegal (Aug 27, 2003)

*Download the LSP Fix:*

http://cexx.org/lspfix.htm

Launch the application, and click the *I know what I'm doing
* checkbox.

This may restore the Internet connection so you can post a HijackThis log but if it doesn't you can download HijackThis onto a floppy and install it on the infected computer to get a log.

Please do the following:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Joey65 (Dec 2, 2003)

Also if you get an Internet connection, download Ewido malware remover this is an awesome program and it is free, when you download Ewidow make sure you update it first and foremost, then run the program in safemode, you will have to monitor it and when a malware warning pops up you will see a box that says perform actions with all infections, tick that box and then let Ewido do its thing, this will make your system more stable.

Then you will be able to post your HJT log with out crashing

http://www.ewido.net/en/download/


----------



## weeGeordie (Jul 22, 2003)

I'm getting lots of missing DLL messages when I boot so I'll need to do some cleanup first.

I'll get back when I get it stabilized.

Thanks


----------



## Cookiegal (Aug 27, 2003)

I like and use Ewido too but I would prefer to see the HijackThis before running Ewido, if at all possible please.


----------



## weeGeordie (Jul 22, 2003)

The missing DLL files appear to be MS Visual C runtime modules. Is there a way to download and install the entire set or do I have to do them one at a time as I run into them?


----------



## weeGeordie (Jul 22, 2003)

LSPFIX didn't find anything.

Ewido will not install. Something about a corrupted installer.

I did another Adaware scan and clean in SAFE mode and I've taken this HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 1:17:53 PM, on 05/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO80\OPWARE32.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO80\opware16.exe
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\ENHUPDT.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {E03C8EA0-658E-CCCC-D890-D5FB3C18D79A} - C:\windows\system\cngfqmud.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8BA0A348-5B3B-E5F6-5DB4-F89F55633B76} - C:\WINDOWS\Ehdgrxxi.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - enhtb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: Search - {4ABBD516-8143-2D88-AF1C-EC56D5592A52} - C:\WINDOWS\Ehdgrxxi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro80\opware32.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [uhjxoobtod] C:\WINDOWS\SYSTEM\zpwatqr.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [] c:\Windows\System\
O4 - HKLM\..\Run: [function redirec] c:\Windows\System\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\Windows\System\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\Windows\System\var strPort;
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140490409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [AOLWebutil] "C:\Program Files\Common Files\AOL\System Information\webutil.exe"
O4 - HKLM\..\Run: [StartAOL] "C:\PROGRAM FILES\AOL 9.0I\aol.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [] c:\Windows\System\
O4 - HKCU\..\Run: [function redirec] c:\Windows\System\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\Windows\System\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\Windows\System\var strPort;
O4 - HKCU\..\Run: [	top.location.replace(strTe] c:\Windows\System\	top.location.replace(strTemp);
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);
O4 - HKCU\..\Run: [ 
*Search of the Day*] c:\Windows\System\ 
*Search of the Day*
O4 - HKCU\..\Run: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​O4 - HKCU\..\Run: [ 
O4 - HKCU\..\Run: [<H] c:\Windows\System\
O4 - HKCU\..\Run: [</H] c:\Windows\System\
O4 - HKCU\..\Run: [
O4 - HKCU\..\Run: [</frame] c:\Windows\System\
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ Error</TI] c:\Windows\System\ Error
O4 - HKCU\..\Run: [<B] c:\Windows\System\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\Windows\System\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\Windows\System\
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunServices: [] c:\Windows\System\
O4 - HKCU\..\RunServices: [function redirec] c:\Windows\System\function redirect(){
O4 - HKCU\..\RunServices: [var strT] c:\Windows\System\var strTemp;
O4 - HKCU\..\RunServices: [var strP] c:\Windows\System\var strPort;
O4 - HKCU\..\RunServices: [	top.location.replace(strTe] c:\Windows\System\	top.location.replace(strTemp);
O4 - HKCU\..\RunServices: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunServices: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);
O4 - HKCU\..\RunServices: [ 
*Search of the Day*] c:\Windows\System\ 
*Search of the Day*
O4 - HKCU\..\RunServices: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​O4 - HKCU\..\RunServices: [ 
O4 - HKCU\..\RunServices: [<H] c:\Windows\System\
O4 - HKCU\..\RunServices: [</H] c:\Windows\System\
O4 - HKCU\..\RunServices: [
O4 - HKCU\..\RunServices: [</frame] c:\Windows\System\
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [ Error</TI] c:\Windows\System\ Error
O4 - HKCU\..\RunServices: [<B] c:\Windows\System\
O4 - HKCU\..\RunServices: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
O4 - HKCU\..\RunServices: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\RunServices: [GANDI then par] c:\Windows\System\GANDI then parked.
O4 - HKCU\..\RunServices: [</B] c:\Windows\System\
O4 - HKCU\..\RunServices: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab​


----------



## Cookiegal (Aug 27, 2003)

Ewido does not run on ME.

Try this winsock repair:

1.) Download http://www.tacktech.com/pub/winsockfix/WinsockFix.zip. (by: Option^Explicit) or http://www.spychecker.com/program/winsockxpfix.html
2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
3.) Run WinsockFix.exe.
4.) Click the Fix button.


----------



## weeGeordie (Jul 22, 2003)

I found another way to kick off the AOL dialer which works. The AOL account trial period has expired which is another issue for now. My concern at this point is the HJT log. Are there actions I should take?


----------



## Cookiegal (Aug 27, 2003)

So you mean there is no Internet Service Provider at all so no hope of connecting this computer to the Internet?

If that's the case, we'll do what we can with the HijackThis log but there are tools that need to be run to properly clean this up. 

This looks like a good candidate for a reformat, in my opinion.


----------



## weeGeordie (Jul 22, 2003)

I believe I can get it on the net by connecting to my home network which has high-speed cable internet access.

As much as their daughter thought she was doing them a favour I will be recommending they consider installing WinXP of buying a new machine w/WinXP on it.

Until then I would like to try and clean it up. THanks


----------



## Cookiegal (Aug 27, 2003)

Alright then but be sure to disconnect your network cables and take your own computer off line while working on this one so you don't spread the infection.

Download Cleanup from *here* 

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Click the *Options...* button on the right. 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Cleanup! All Users 
Click *OK* 
 *DO NOT RUN IT YET*

Download the trial version of Ewido Security Suite *here*.
Install ewido.
During the installation, under "Additional Options" *uncheck* "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click *update*
Click on *Start* and let it update.
*DO NOT* run a scan yet. You will do that later in safe mode.

*Click here* for info on how to boot to safe mode if you don't already know how.

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
Click on *scanner*
Click *Complete System Scan* and the scan will begin.
During the scan it will prompt you to clean files, click *OK*
When the scan is finished, look at the bottom of the screen and click the *Save report* button.
Save the report to your desktop

Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Restart back into Windows normally now.

Do this on-line scan:
* Panda Active Scan*. Be sure to save the log it creates.

*Come back here and post a new HijackThis log as well as the logs from the Ewido and Panda scans.*


----------



## weeGeordie (Jul 22, 2003)

I tried again but Ewido still will not install


----------



## Cookiegal (Aug 27, 2003)

Sorry, I meant to remove the Ewido part from those instructions before posting. Please do this:

Download Cleanup from *here* 

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu). 
Click the *Options...* button on the right. 
Move the arrow down to "*Custom CleanUp!*" 
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins 
Delete Cookies 
Cleanup! All Users 
Click *OK* 
 *DO NOT RUN IT YET*

*Click here* for info on how to boot to safe mode if you don't already know how.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Cleanup: 
 Click on the "*Cleanup*" button and let it run.
 Once its done, *close the program*.

Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Restart back into Windows normally now.

Do this on-line scan:
* Panda Active Scan*. Be sure to save the log it creates.

*Come back here and post a new HijackThis log as well as the log from the Panda scan.*


----------



## weeGeordie (Jul 22, 2003)

Hmmm. Having problems getting this system to use my LAN connection.


----------



## Cookiegal (Aug 27, 2003)

Please post a current HijackThis log.


----------



## weeGeordie (Jul 22, 2003)

Logfile of HijackThis v1.99.1
Scan saved at 8:03:20 PM, on 08/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\ENHUPDT.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=1880540585&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {E03C8EA0-658E-CCCC-D890-D5FB3C18D79A} - C:\windows\system\cngfqmud.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8BA0A348-5B3B-E5F6-5DB4-F89F55633B76} - C:\WINDOWS\Ehdgrxxi.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - enhtb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: Search - {4ABBD516-8143-2D88-AF1C-EC56D5592A52} - C:\WINDOWS\Ehdgrxxi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [uhjxoobtod] C:\WINDOWS\SYSTEM\zpwatqr.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [] c:\Windows\System\
O4 - HKLM\..\Run: [function redirec] c:\Windows\System\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\Windows\System\var strTemp;
O4 - HKLM\..\Run: [var strP] c:\Windows\System\var strPort;
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKLM\..\Run: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140490409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [AOLWebutil] "C:\Program Files\Common Files\AOL\System Information\webutil.exe"
O4 - HKLM\..\Run: [StartAOL] "C:\PROGRAM FILES\AOL 9.0I\aol.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [] c:\Windows\System\
O4 - HKCU\..\Run: [function redirec] c:\Windows\System\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\Windows\System\var strTemp;
O4 - HKCU\..\Run: [var strP] c:\Windows\System\var strPort;
O4 - HKCU\..\Run: [	top.location.replace(strTe] c:\Windows\System\	top.location.replace(strTemp);
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);
O4 - HKCU\..\Run: [ 
*Search of the Day*] c:\Windows\System\ 
*Search of the Day*
O4 - HKCU\..\Run: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​O4 - HKCU\..\Run: [ 
O4 - HKCU\..\Run: [<H] c:\Windows\System\
O4 - HKCU\..\Run: [</H] c:\Windows\System\
O4 - HKCU\..\Run: [
O4 - HKCU\..\Run: [</frame] c:\Windows\System\
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ Error</TI] c:\Windows\System\ Error
O4 - HKCU\..\Run: [<B] c:\Windows\System\
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [GANDI then par] c:\Windows\System\GANDI then parked.
O4 - HKCU\..\Run: [</B] c:\Windows\System\
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunServices: [] c:\Windows\System\
O4 - HKCU\..\RunServices: [function redirec] c:\Windows\System\function redirect(){
O4 - HKCU\..\RunServices: [var strT] c:\Windows\System\var strTemp;
O4 - HKCU\..\RunServices: [var strP] c:\Windows\System\var strPort;
O4 - HKCU\..\RunServices: [	top.location.replace(strTe] c:\Windows\System\	top.location.replace(strTemp);
O4 - HKCU\..\RunServices: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunServices: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);
O4 - HKCU\..\RunServices: [ 
*Search of the Day*] c:\Windows\System\ 
*Search of the Day*
O4 - HKCU\..\RunServices: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​O4 - HKCU\..\RunServices: [ 
O4 - HKCU\..\RunServices: [<H] c:\Windows\System\
O4 - HKCU\..\RunServices: [</H] c:\Windows\System\
O4 - HKCU\..\RunServices: [
O4 - HKCU\..\RunServices: [</frame] c:\Windows\System\
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [ Error</TI] c:\Windows\System\ Error
O4 - HKCU\..\RunServices: [<B] c:\Windows\System\
O4 - HKCU\..\RunServices: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.
O4 - HKCU\..\RunServices: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\RunServices: [GANDI then par] c:\Windows\System\GANDI then parked.
O4 - HKCU\..\RunServices: [</B] c:\Windows\System\
O4 - HKCU\..\RunServices: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab​


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove:

*EBATES_MOEMONEYMAKER*

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidese...0540585&id=5.0

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidese...0540585&id=5.0

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidese...0540585&id=5.0

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidese...0540585&id=5.0

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidese...0540585&id=5.0

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidese...0540585&id=5.0

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {E03C8EA0-658E-CCCC-D890-D5FB3C18D79A} - C:\windows\system\cngfqmud.dll

O2 - BHO: (no name) - {8BA0A348-5B3B-E5F6-5DB4-F89F55633B76} - C:\WINDOWS\Ehdgrxxi.dll

O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - enhtb.dll (file missing)

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL

O3 - Toolbar: Search - {4ABBD516-8143-2D88-AF1C-EC56D5592A52} - C:\WINDOWS\Ehdgrxxi.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [uhjxoobtod] C:\WINDOWS\SYSTEM\zpwatqr.exe

O4 - HKLM\..\Run: [] c:\Windows\System\

O4 - HKLM\..\Run: [function redirec] c:\Windows\System\function redirect(){

O4 - HKLM\..\Run: [var strT] c:\Windows\System\var strTemp;

O4 - HKLM\..\Run: [var strP] c:\Windows\System\var strPort;

O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe

O4 - HKLM\..\Run: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [] c:\Windows\System\

O4 - HKCU\..\Run: [function redirec] c:\Windows\System\function redirect(){

O4 - HKCU\..\Run: [var strT] c:\Windows\System\var strTemp;

O4 - HKCU\..\Run: [var strP] c:\Windows\System\var strPort;

O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\Windows\System\ top.location.replace(strTemp);

O4 - HKCU\..\Run: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);

O4 - HKCU\..\Run: [ 
Search of the Day] c:\Windows\System\ 
Search of the Day

O4 - HKCU\..\Run: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​
O4 - HKCU\..\Run: [

O4 - HKCU\..\Run: [<H] c:\Windows\System\

O4 - HKCU\..\Run: [</H] c:\Windows\System\

O4 - HKCU\..\Run: [

O4 - HKCU\..\Run: [</frame] c:\Windows\System\

O4 - HKCU\..\Run: [ Error</TI] c:\Windows\System\ Error

O4 - HKCU\..\Run: [<B] c:\Windows\System\

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [GANDI then par] c:\Windows\System\GANDI then parked.

O4 - HKCU\..\Run: [</B] c:\Windows\System\

O4 - HKCU\..\RunServices: [] c:\Windows\System\

O4 - HKCU\..\RunServices: [function redirec] c:\Windows\System\function redirect(){

O4 - HKCU\..\RunServices: [var strT] c:\Windows\System\var strTemp;

O4 - HKCU\..\RunServices: [var strP] c:\Windows\System\var strPort;

O4 - HKCU\..\RunServices: [ top.location.replace(strTe] c:\Windows\System\ top.location.replace(strTemp);

O4 - HKCU\..\RunServices: [top.location.replace(strTe] c:\Windows\System\top.location.replace(strTemp);

O4 - HKCU\..\RunServices: [ 
Search of the Day] c:\Windows\System\ 
Search of the Day

O4 - HKCU\..\RunServices: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​
O4 - HKCU\..\RunServices: [

O4 - HKCU\..\RunServices: [<H] c:\Windows\System\

O4 - HKCU\..\RunServices: [</H] c:\Windows\System\

O4 - HKCU\..\RunServices: [

O4 - HKCU\..\RunServices: [</frame] c:\Windows\System\

O4 - HKCU\..\RunServices: [ Error</TI] c:\Windows\System\ Error

O4 - HKCU\..\RunServices: [<B] c:\Windows\System\

O4 - HKCU\..\RunServices: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.

O4 - HKCU\..\RunServices: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\RunServices: [GANDI then par] c:\Windows\System\GANDI then parked.

O4 - HKCU\..\RunServices: [</B] c:\Windows\System\

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe​*

Then boot to safe mode by tapping F8 on reboot before windows loads.

Set folder options to show hidden files:

Double-click the My Computer icon.
on the Tools menu, click Folder Options. 
Uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders. 
Click Apply. 
Click OK.

Locate and delete these files:

*C:\WINDOWS\SYSTEM\zpwatqr.exe

C:\WINDOWS\enhupdt.exe*

Reboot and post another HijackThis log please.​


----------



## weeGeordie (Jul 22, 2003)

The ebates program is not listed under add/delete programs.

The progress bar at the top of the HJT screen froze about 1/3 of the way through. The cursor still moves but no response to anything, including the MS salute (ctl-alt-del).

How much trouble am I in?


----------



## Cookiegal (Aug 27, 2003)

Try following the instructions with HijackThis but in safe mode.


----------



## weeGeordie (Jul 22, 2003)

HJT freezes in safe mode too.


----------



## weeGeordie (Jul 22, 2003)

Rebooted agin into safe mode and started through the HJT remove list 1-item at a time.

The freeze happens when attempting to fix the following item(s)

04 - HKLM\..\Run[] c:\Windows\System\


----------



## Cookiegal (Aug 27, 2003)

Let's take a look at a start-up log from HijackThis. 

Open HijackThis and click on config then on misc.tools. Put a check mark in the two boxes and then click on "generate startup list log." Then copy and paste the results here please.


----------



## weeGeordie (Jul 22, 2003)

Wasn't sure if you wanted it in safe mode or normal so I took one of each, (attached). I weill continue with the instructions for removal but will exclude the problematic item. Thanks.


----------



## weeGeordie (Jul 22, 2003)

Can't continue wuth HJT clean. Freezing again on a differnet item. I will wait for a response from the startuplists. Sorry for being impatient.


----------



## Cookiegal (Aug 27, 2003)

Boot to safe mode and run Killbox on this file:

*C:\WINDOWS\CFGMGR52.DLL*

Please post a current HijackThis log as well.


----------



## weeGeordie (Jul 22, 2003)

Killbox says that file does not seem to exist. I searched the C: drive for cfgmgr52.* and found 'c:\windows\cfgmgr52.ini'. Do you want me to delete that one?


----------



## Cookiegal (Aug 27, 2003)

weeGeordie said:


> Killbox says that file does not seem to exist. I searched the C: drive for cfgmgr52.* and found 'c:\windows\cfgmgr52.ini'. Do you want me to delete that one?


Yes please.


----------



## weeGeordie (Jul 22, 2003)

I renamed the file to cnfgmgr52.nin and took a HJT log in safe mode.

I also rebooted into normal mode and took the second log, just in case it was needed.


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Programs and remove:

*EBATES_MOEMONEYMAKE*

Rescan with HijackThis, put a check mark beside these entries, close all other browser windows and click "fix checked".

*
O4 - HKLM\..\Run: [] c:\Windows\System\

O4 - HKCU\..\Run: [] c:\Windows\System\

O4 - HKCU\..\Run: [ 
Search of the Day] c:\Windows\System\ 
Search of the Day

O4 - HKCU\..\Run: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​
O4 - HKCU\..\Run: [

O4 - HKCU\..\Run: [<H] c:\Windows\System\

O4 - HKCU\..\Run: [</H] c:\Windows\System\

O4 - HKCU\..\Run: [

O4 - HKCU\..\Run: [</frame] c:\Windows\System\

O4 - HKCU\..\Run: [ Error</TI] c:\Windows\System\ Error

O4 - HKCU\..\Run: [<B] c:\Windows\System\

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [GANDI then par] c:\Windows\System\GANDI then parked.

O4 - HKCU\..\Run: [</B] c:\Windows\System\

O4 - HKCU\..\RunServices: [] c:\Windows\System\

O4 - HKCU\..\RunServices: [ 
Search of the Day] c:\Windows\System\ 
Search of the Day

O4 - HKCU\..\RunServices: [ real estate home finance</cen] c:\Windows\System\ real estate home finance​
O4 - HKCU\..\RunServices: [

O4 - HKCU\..\RunServices: [<H] c:\Windows\System\

O4 - HKCU\..\RunServices: [</H] c:\Windows\System\

O4 - HKCU\..\RunServices: [

O4 - HKCU\..\RunServices: [</frame] c:\Windows\System\

O4 - HKCU\..\RunServices: [ Error</TI] c:\Windows\System\ Error

O4 - HKCU\..\RunServices: [<B] c:\Windows\System\

O4 - HKCU\..\RunServices: [The site you have requested doesn't ex] c:\Windows\System\The site you have requested doesn't exist.

O4 - HKCU\..\RunServices: [The associated domain name has probably been reserved by a client ] c:\Windows\System\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\RunServices: [GANDI then par] c:\Windows\System\GANDI then parked.

O4 - HKCU\..\RunServices: [</B] c:\Windows\System\​*

Reboot and post another HijackThis log please.​


----------



## weeGeordie (Jul 22, 2003)

The EBATES program is not listed in Add/Remove Programs. I will continue with the HJT deletes.


----------



## Cookiegal (Aug 27, 2003)

Then when in safe mode, navigate to this folder and delete it:

*C:\PROGRAM FILES\EBATES_MOEMONEYMAKER*

Also, do this please. Right click *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
To use: Right click *DelDomains.inf* and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


----------



## weeGeordie (Jul 22, 2003)

Can't find that folder


----------



## Cookiegal (Aug 27, 2003)

Continue with the rest please.


----------



## weeGeordie (Jul 22, 2003)

HJT and system freeze trying to delete HKLM:\..\Run:[] c:\Windows\System\


----------



## Cookiegal (Aug 27, 2003)

Go to *Start *- *run *- type in *regedit *and click OK.

Navigate to each of these values, one at a time. Please take a screen shot of what you see in the right-hand pane for each of those values. To do that, click on "print screen" on your keyboard. This will save the image to the clipboard. Open up Paint (you will find that in Accessories) and paste the image there. Save it but change the file extention from .bmp to .jpeg and then upload them here as attachments.

*HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run*


----------



## weeGeordie (Jul 22, 2003)

Can't figure out how to insert the images so I have attached them as files.


----------



## Cookiegal (Aug 27, 2003)

First, let's backup the registry. Click on *File *- *Export *and save it with a .reg file extension on your desktop. It can be restored by double clicking on it and allowing it to merge into the registry.

Navigate to this value:

*HKCU\Software\Microsoft\Windows\CurrentVersion\Run*

Click on each entry in the right-hand pane, one at a time, *EXCEPT the ones that are circled in red *and then select delete. I repeat *DO NOT DELETE THE ONES CIRCLED IN RED!*


----------



## Cookiegal (Aug 27, 2003)

Now, navigate to this value:

*HKLM\Software\Microsoft\Windows\CurrentVersion\Run*

In the right-hand pane, delete just the first entry.

Reboot and post a new HijackThis log please.


----------



## weeGeordie (Jul 22, 2003)

Logfile of HijackThis v1.99.1
Scan saved at 4:24:26 PM, on 13/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AOL 9.0I\WAOL.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140490409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLWebutil] "C:\Program Files\Common Files\AOL\System Information\webutil.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


----------



## Cookiegal (Aug 27, 2003)

Did you do this?



> Also, do this please. Right click *HERE* and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop.
> To use: Right click *DelDomains.inf* and select: Install (no need to restart)
> Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.


----------



## weeGeordie (Jul 22, 2003)

No. I didn't get that far. When the system froze I stopped there. I'm assuming you want me to go ahead with that step. I willdo so now. Thanks


----------



## Cookiegal (Aug 27, 2003)

Yes please.


----------



## weeGeordie (Jul 22, 2003)

Done. Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 4:24:26 PM, on 13/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AOL 9.0I\WAOL.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140490409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLWebutil] "C:\Program Files\Common Files\AOL\System Information\webutil.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


----------



## Cookiegal (Aug 27, 2003)

Rescan with HijackThis and have it fix these entries:

*O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe*

Reboot and post another HijackThis log please.


----------



## weeGeordie (Jul 22, 2003)

Logfile of HijackThis v1.99.1
Scan saved at 10:15:08 PM, on 15/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 9.0I\WAOL.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AOL 9.0I\SHELLMON.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140490409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLWebutil] "C:\Program Files\Common Files\AOL\System Information\webutil.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AOL 9.0I\AOL.EXE" -b
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


----------



## Cookiegal (Aug 27, 2003)

How are things running now?


----------



## weeGeordie (Jul 22, 2003)

Seems OK now. Does that mean we are done?


----------



## weeGeordie (Jul 22, 2003)

I spoke too soon. I'm getting "Explorer has caused an error in URLMON.DLL"


----------



## Cookiegal (Aug 27, 2003)

Let's try re-registering the .dll

Go to *Start *- *Run*, type in the following and press enter.

*regsvr32 urlmon.dll *


----------



## weeGeordie (Jul 22, 2003)

I restarted the system, did nothing but let it sit for a few hours and I'm getting a series of .DLL errors. most of which seem to be related to AOL programs.

I'm thinking the logical thing to do is to reload Windows but since I don't have access to ME install disks I would like to try a WinXP upgrade.

I have heard there is a utility which will scan my system for compatability with XP. Where can I find a copy?

Of course I am open to other options so if there are any please let me know.

Thanks


----------



## Cookiegal (Aug 27, 2003)

Are they still using AOL to connect? We could pursue the errors but if you want to upgrade to XP, that might be the best idea.

I found this tool:

http://www.microsoft.com/windowsxp/pro/upgrading/advisor.mspx


----------



## weeGeordie (Jul 22, 2003)

Yes. They still have AOL and it's a pain to work with. I still can't get the dialer to launch from the desktop icon but I can get it to launch from the systray app. 

I also find that even though things seem relatively stable when I startup and try a few things if I let it sit for a while I get a variety of DLL related failures. I've been hacking away at each error by googling the DLL name and I think I have the system fairly stable. 

I will definitely run the XP Advisor and I'm also going to outline what it would cost to buy a new system with XP already loaded. They are remarkably inexpensive these days.

Thanks


----------



## Cookiegal (Aug 27, 2003)

The desktop icon may have become corrupt. Can you create a new one?

Would you mind posting a final HijackThis log so I can be sure nothing has changed please.


----------



## weeGeordie (Jul 22, 2003)

When I click on the desktop icon is flashes the AOL 9.0 splash screen which disappears then a little disk activity...then nothing.

I created another desktop shortcut icon to the same program but it does the same thing.

Here is tje log:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:28 PM, on 19/03/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1140490409\EE\AOLSERVICEHOST.EXE
C:\PROGRAM FILES\HIJACKTHIS 1.99.1\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140490409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


----------



## Cookiegal (Aug 27, 2003)

Do you know how old this computer is?


----------



## weeGeordie (Jul 22, 2003)

No I don't. I ran an older version of Everest and it tells me the motherboard is MSI MS-6368, the motherboard chipset is VIA VT8601A Apollo PLE133 and the BIOS is AWARD Modular (05/27/02).

Does that help?


----------



## Cookiegal (Aug 27, 2003)

If that is February 27, 2005, then I'd say fine but if it's May 27, 2002, the system has likely become unstable and a reformat would be in order.


----------



## weeGeordie (Jul 22, 2003)

The video Bios date shows as 04/25/20 So I gotta believe the first 2 digits are the year.


----------



## Cookiegal (Aug 27, 2003)

How many user profiles are there?


----------



## weeGeordie (Jul 22, 2003)

Looks like just the one


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

*Click here* for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot back to Normal Mode!


Go to the *WinPFind folder*
Locate *WinPFind.txt*
Copy and paste WinPFind.txt in your next post here please.


----------



## weeGeordie (Jul 22, 2003)

Since I have been able to get the system fairly stable I set it up for the owners and we tried working with AOL Tech Support to get things going. We got very close but AOL's recommendation was to get rid of ME. I gave the owners some leads on where to buy system untis with WinXP preloaded and they are going to get back to me when they make a decision.

Sorry to put you through all this work but I had to give it the old college try.


----------



## Cookiegal (Aug 27, 2003)

No problem. I think that's a wise decision.


----------

