# Start Menu "Start" missing



## AlexJames (Dec 3, 2003)

My start menu button is blank. It doesn't say "Start".

I did a virus scan, a spybot scan, and restarted the computer twice, it is there as soon as the computer is restarted but it went away when I clicked on it again.

Any idea what this is and how to get it back?


----------



## bandit429 (Feb 12, 2002)

Alex this is not the best way but it is a way to rename the start button. Click the link at the bottom of this post. Download and install Winwinner. Once installed click the icon to open it an then click the start menu tab. look for rename the start menu and check that. then in the blank box at the bottom right type in Start. I would suggest you post a hijack log as well. Click the lower link for that.

http://www.softwarelight.com/index.php?category=System+optimization&program=WinWinner

http://www.tomcoyote.org/hjt/


----------



## AlexJames (Dec 3, 2003)

Ok, I downloaded hijackthis and restarted the computer and the start button is fine now...so far... but here is my log anyway, if anyone sees anything screwy, let me know? lol

Logfile of HijackThis v1.97.7
Scan saved at 12:25:17 AM, on 12/8/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab


----------



## bandit429 (Feb 12, 2002)

That is a problem You need to download spybot,,,,install it and run it,,,,,,,then click online and update.. Once the updates are install look for the check for problems button and hit that. Then when its finished hit "fix selected problems" Then post another scanlog. You have another trojan going there.

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
http://www.doxdesk.com/parasite/Transponder.html

O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
spybot
http://tomcoyote.org/SPYBOT/index1.php


----------



## AlexJames (Dec 3, 2003)

I got SpyBot a few days ago, and just ran it, and it said no immediate threats.

I don't know what the next two lines of your message mean....
BELT is a trojan?
and also bi.dll?


----------



## bandit429 (Feb 12, 2002)

Alex if you ran an updated spybot its supposed to remove the transponder,,,I posted a link up there so you may go see it. I am not in no way doubting your word. I just want to be sure that it gets removed the easiest way. Manual removal is possible but does not look easy. If you've done the update and ran spybot let us know. We will then continue.

CLick below so you may read about it.
http://www.doxdesk.com/parasite/Transponder.html

And we will tackle the second trojan seperatly.

Ad-Aware 6 is supposed to do it too but I am not famiailiar with that program

One other you may try is coolwebshredder Click below. It seems to be a good easy to use program,,,very small. http://www.spychecker.com/program/cwshredder.html


----------



## AlexJames (Dec 3, 2003)

Ok, I went and updated SpyBot, ran it, it found a bunch of things, all look2me or abetterinternet, belt came up a couple times in the abetterinternet ones. So I got rid of them, a couple needed to be removed after start-up. 
I went into msconfig and looked in my startup thing, which is where I had seen BELT before but for some strange reason assumed it was harmless, and it was not there anymore...
so I restarted my computer, ran spybot again, got rid of what it found , a couple look2me and abetterinternet came up again, one of the look2me things said couldnt be removed til a restart.
I went to hijack this and here is a log, let me know if you want another one after I restart the computer.

Logfile of HijackThis v1.97.7
Scan saved at 7:20:27 PM, on 12/8/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://home.peoplepc.com/home/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab


----------



## AlexJames (Dec 3, 2003)

I dont see those two lines you pointed out in the log anymore...
does that mean its gone?


----------



## bandit429 (Feb 12, 2002)

Great!!!!  I will look over the rest now. Good job.


----------



## AlexJames (Dec 3, 2003)

Thank you very much, I so appreciate your help.


----------



## bandit429 (Feb 12, 2002)

Have hijack fix these,,,,,,,,,and is verizion your provider,,,,,phone company or something you visit on the net? Or do you use people pc? How is it doing?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about :blank

You are very welcome!


----------



## AlexJames (Dec 3, 2003)

Yes I use verizon online, peoplepc is what I had before verizon but it sucked very badly, I havent gotten around to getting rid of it yet...but I will soon....

those two to fix...what are they?


----------



## AlexJames (Dec 3, 2003)

Ok got rid of those two, 
is it a bad thing that everytime I try to refresh a page here 
spybot says that I am trying to download avenue a and do I want to block it? 
lol I click to block it but it keeps coming up....


----------



## bandit429 (Feb 12, 2002)

Alex I have heard that before,,,,,,,,,but I don't know the solution. Sounds like another thread.. What about the rest?? Solved??


----------



## AlexJames (Dec 3, 2003)

well...

I keep doing spybot and keep getting stuff, getting rid of it, restarting my computer , scanning again, and still getting the same four things....



Look2Me: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

Look2Me: Library (File, nothing done)
C:\WINDOWS\SYSTEM\MSG{3434FE06-352B-4CEE-9716-C0C27D6166E3}0115.dll

VX2/h.ABetterInternet: (File, nothing done)
C:\WINDOWS\Temp\null.rgn

VX2/h.ABetterInternet: Global settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

When I try to fix them...it says it has fixed 3 of them but that the look2me library one is still in use or something....and might be fixed on restart...
but all four of them come back in the next scan anyway....


----------



## bandit429 (Feb 12, 2002)

Press ctrl+alt+del together just one time,,,,,,,,type exactly whats in that window.


----------



## AlexJames (Dec 3, 2003)

Tech Support Guy Forums - blah blah blah
Explorer
Winmgmt
Navapw32
Pelmiced
Systray
Winpppoverethernet


Thats the list of whats in ctrl alt del


----------



## bandit429 (Feb 12, 2002)

Ok goto start,,,,,,,,find,,,,,,,,files or folders,,,,,type in look2me
whats the location of the file.


----------



## AlexJames (Dec 3, 2003)

I've been doing that, says no files found...

also i have looked in msconfig in startup and dont see it there either...


----------



## bandit429 (Feb 12, 2002)

Ok its gonna require some work in the registry,,,,,,,I am going to ask a friend to help you with it,,,,,,,I could probably get you through it but I would prefer someone who is more experienced at these types of problems. OK?


----------



## AlexJames (Dec 3, 2003)

Ok, thanks


----------



## Mosaic1 (Aug 17, 2001)

Let's see if we can remove the file during a reboot. I have created a registry file for you. It is attached as a text file. Rename the text file as L2m.reg
Double click on L2m.reg to enter into the registry. Reboot. 
Then we need to clean up the registry. Use Spybot and see if it takes care of it. Otherwise we can do it manually for you later.


----------



## Mosaic1 (Aug 17, 2001)

File Deleted. I upload and even try to rename the attachment. It is not as I wrote it after I look at the upload. I am editing this post and will try to attach again in another post.


----------



## AlexJames (Dec 3, 2003)

Ok, did a scan again just to be sure its still happening and yes the same four came back;

Look2Me: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

Look2Me: Library (File, nothing done)
C:\WINDOWS\SYSTEM\MSG{3434FE06-352B-4CEE-9716-C0C27D6166E3}0115.dll

VX2/h.ABetterInternet: (File, nothing done)
C:\WINDOWS\Temp\null.rgn

VX2/h.ABetterInternet: Global settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

The library one is the only one , when I try to fix them that says it can't do because its in use...so I went to where that one is and tried to delete it but of course it said I can't because its in use lol...


----------



## AlexJames (Dec 3, 2003)

Ok posted that message before I saw those last two...
going to try that now...


----------



## AlexJames (Dec 3, 2003)

I got a message sayings I cannot import it, it is not a registry script, or something to that effect


----------



## AlexJames (Dec 3, 2003)

It asks if Im sure I want to add this to the registry, then I click yes and get 
Cannot Import C://windows/desktop/L2M.REG the specified file is not a registry script, you can import only registry files.


----------



## Mosaic1 (Aug 17, 2001)

That's odd. Ok Do this. Open tje file in notepad. Click Save As
Name it but put quotes around the name. Like this:
"L2m.reg"

Then save as all files.


----------



## Mosaic1 (Aug 17, 2001)

Go back up to my other post and download the new L2.txt and rename it. I made two changes to it. I hope it works now.


----------



## AlexJames (Dec 3, 2003)

Ok, I haven't done that yet....

but i figured out that look2me came from SpyBan ...

that is software I downloaded and I thought I deleted...

does this mean anything to you? lol That its from SpyBan?


----------



## Mosaic1 (Aug 17, 2001)

Yes it does. At SpywareInfo we see it all the time. And I have removed it many times from XP machines. ME is a bit less easy to work with on this. Do try the file I attached. If it doesn't work, I'll create another file and we'll try to remove everything, the registry entries and the file in a reboot.


----------



## AlexJames (Dec 3, 2003)

Ok I am so confused now...I did a search on google and it seems as though spyban actually puts spyware onto your computer? I thought it was supposed to do the opposite!? lol


----------



## AlexJames (Dec 3, 2003)

I tried deleting them from jump to location, but it just reappears the next time I do a search. 
I am very confused

Going to try again now with that file....


----------



## Mosaic1 (Aug 17, 2001)

Yes. And it has a download surprise package too for some. It is a nasty pest. You want to uninstall it ASAP if you haven't already


----------



## AlexJames (Dec 3, 2003)

Still the same error message...but I really don't know what I'm doing so it could just be me...lol


----------



## Mosaic1 (Aug 17, 2001)

Can you please right click in the file and choose edit. then copy and paste the contents into a post here.


----------



## Mosaic1 (Aug 17, 2001)

Hold on. Let me do it again. the file is not right. It keeps losing some back slashes in the path in the upload. Give me a few minutes.


----------



## AlexJames (Dec 3, 2003)

ÿþR E G E D I T 4

[ H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n O n c e ]

" M S G { 3 4 3 4 F E 0 6 - 3 5 2 B - 4 C E E - 9 7 1 6 - C 0 C 2 7 D 6 1 6 6 E 3 } 0 1 1 5 . d l l " = " C : \ w i n d o w s \ c o m m a n d . c o m / c A t t r i b - h - r - s \ " C : \ \ W I N D O W S \ \ S Y S T E M \ \ M S G { 3 4 3 4 F E 0 6 - 3 5 2 B - 4 C E E - 9 7 1 6 - C 0 C 2 7 D 6 1 6 6 E 3 } 0 1 1 5 . d l l \ " & d e l \ " C : \ \ W I N D O W S \ \ S Y S T E M \ \ M S G { 3 4 3 4 F E 0 6 - 3 5 2 B - 4 C E E - 9 7 1 6 - C 0 C 2 7 D 6 1 6 6 E 3 } 0 1 1 5 . d l l \ " "


----------



## Mosaic1 (Aug 17, 2001)

Sorry. Let me do it again. I have to export in a different format for Win ME.


----------



## Mosaic1 (Aug 17, 2001)

This time the backslashes survived. Hope it works now.


----------



## AlexJames (Dec 3, 2003)

Ok successfully entered...now what ? lol


----------



## Mosaic1 (Aug 17, 2001)

Reboot. That will remove the file. Run spybot and see if it removes the registry entries. If not, we'll have to remove everything diring a reboot.


----------



## bandit429 (Feb 12, 2002)

Is there something I could have done differently that would have changed the outcome??


----------



## Mosaic1 (Aug 17, 2001)

Hi Bandit,
No. this thing doesn't show in HijackThis or StartupList. It is an actual Windows Shell extension and has to be removed while explorer.exe is not running. Even Spybot can't remove it. And it does cause some Explorer crashes from time to time too. 

Mo


----------



## AlexJames (Dec 3, 2003)

Okie dokie,
restarted, came back all screwy and frozen, couldnt restart with ctrl alt del, so I shut it down manually...
restarted....scan disk ran...la la la ...ok fine....
ran spybot, found the same four repeat offenders lol

Look2Me: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}

Look2Me: Library (File, nothing done)
C:\WINDOWS\SYSTEM\MSG{3434FE06-352B-4CEE-9716-C0C27D6166E3}0115.dll

VX2/h.ABetterInternet: (File, nothing done)
C:\WINDOWS\Temp\null.rgn

VX2/h.ABetterInternet: Global settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DDFFA75A-E81D-4454-89FC-B9FD0631E726}


----------



## Mosaic1 (Aug 17, 2001)

Shoot. It's going to be a pain then. Give me a few minutes to find a file and see what we can do about this one.


----------



## AlexJames (Dec 3, 2003)

going to be a pain? You mean it gets worse?
LOL


----------



## AlexJames (Dec 3, 2003)

Would it be possible to start in dos and delete them there? 
since then explorer would not be running?


----------



## Mosaic1 (Aug 17, 2001)

I wrote a bit of a complicated script a while back to remove this Spyban L2M from windows 98. I am not sure it will work. But first I need you to go into Add Remove Programs and remove Spyban. Restart the computer and come right back. I have the script uploaded as a text file. Just rename it with a .vbs extension and double click on it. It will tell you to reboot. You can either reboot or preferably use log off and back on. Do you still have logoff on your start menu? If so use that. ( Use the script at your own risk. It creates several files and a runonce key to execute a script after a log off and back on. It may not work, or it may. I have not tried it on 98 myself.)

It is late here and I am getting very tired. I would appreciate it if we could do this fast. I am not sure I'll be around tomorrow. So this would be the best time.


----------



## AlexJames (Dec 3, 2003)

I deleted spyban a while back, and I can't find it in add/remove or in search files or folders.

And use at your own risk is sort of scary to someone who has no idea what this is I am going to download or how it works...so perhaps I should hold off on it...?


----------



## Mosaic1 (Aug 17, 2001)

YTes it would be. But we have o have a registry file to remove the registry entries and youcould then import that. That's what this script is supposed to do. If you do't want to use it, I understand. Let me know what you want to do.


----------



## AlexJames (Dec 3, 2003)

and also now I'm concerned about the one I already downloaded ....


----------



## Mosaic1 (Aug 17, 2001)

Which one are you concerned about? If you have already rebooted after using that registry file, then it has been deleted from your registry.


----------



## AlexJames (Dec 3, 2003)

The first one, cause when I rebooted after entering it in the registry my computer started all screwy and froze up on me.

Anyway, I'm too scared to use something with a "use at your own risk" disclaimer lol 
I am too ignorant about how it works to risk it...
I really appreciate your help, and don't want to keep you if you are tired.


----------



## Mosaic1 (Aug 17, 2001)

Ok well I am just concerned that we are going to have a problem. Di you by any chance install this recently? And do you have a restore point you could use? IF that would take you back without too much loss you might consider that. 

Do you have an ME bootdisk and do you know how to boot to dos in Win Me?


----------



## bandit429 (Feb 12, 2002)

To make a disk do this,,,get a clean fresh floppy,,,insert it in the drive then go to the control panel and hit add remove programs,,then click the startup disk tab,,,at some point you will be asked to insert your ME cd,,do that,,,,,then when its all fininshed you may reboot with the floppy in the drive and select choice 4 to a minimal boot. That will get you to an A:\ prompt. hang on a bit for Mosiac1 to reply.


----------



## Mosaic1 (Aug 17, 2001)

Thanks Bandit.

We'll wait to hear what Alex wants to do.


----------



## AlexJames (Dec 3, 2003)

I never got a ME CD...it came on my computer when I bought it...


----------



## bandit429 (Feb 12, 2002)

Give it a shot without it,, Hey I have one question. Are you gonna give it to the computer repair shop if we can't help??


----------



## AlexJames (Dec 3, 2003)

I'm thinking about the restore point question...
the problem is ... I downloaded spyban because I had a problem...
this is hurting my brain...lol Im trying to think of a good start point, when I found the look2me properties thingy it said it was from december 1 ...so I could go back to nov 30 ....I think...


----------



## AlexJames (Dec 3, 2003)

Ok thinking the restore thingy is a good simple idea that even I can do....lol...but before I do...are there any adverse consequences I might run into if I do that?


----------



## bandit429 (Feb 12, 2002)

Alex I cannot tell you for sure,,but most things like this get in your restore as well. Now I am not saying that is in every case,, it just has been in every case I have seen. This something new to me and I am learning here. I may be wrong. Do you see a reason why not Mosaic??


----------



## Mosaic1 (Aug 17, 2001)

Many do. I am not sure if this one would. You have a good point, Bandit. At this point, I have just finished another attempt at a method to clean. I am writing the files now.

Alex, let's try this once more. 

Give me a minute or two and I'll upload again.


----------



## Mosaic1 (Aug 17, 2001)

Here is the first file. It is named Clean.txt Download it. Rename it clean.reg and save it in C:\

Just leave it there.


----------



## Mosaic1 (Aug 17, 2001)

Here's the second file. Download it. Rename it 
again.bat

Save it to C:\

Leave it there.

Reboot to the command prompt. At the prompt type this:

C:\again.bat

and press enter.

This will run the batch and hopefully clean your registry and remove the files you need removed. We are gong to be removeing your Temp folder and that could take a while. So if you want to speed that up, go there now and delete a lot of the files ahead of time. They are not needed.


----------



## AlexJames (Dec 3, 2003)

Ok well apparently restoring to a previous date was not the way to go, lets just say I'm lucky to be back....lol but Im still at the same place I was...so...let me read over your messages and see if I can comprehend what Im supposed to do next...


----------



## AlexJames (Dec 3, 2003)

Ok what does reboot to the command prompt mean?


----------



## Mosaic1 (Aug 17, 2001)

Well you tried. Do reverse that restore first. And then do the removal. But since you have garbage in there, after you reverse the last restore and get rid of this thing, flush all your restore points. Start fresh after you are clean by creating a new Restore point.


----------



## Mosaic1 (Aug 17, 2001)

Bandit explained how to get there earlier:


> To make a disk do this,,,get a clean fresh floppy,,,insert it in the drive then go to the control panel and hit add remove programs,,then click the startup disk tab,,,at some point you will be asked to insert your ME cd,,do that,,,,,then when its all fininshed you may reboot with the floppy in the drive and select choice 4 to a minimal boot. That will get you to an A:\ prompt.


 I am sigining off for the night. Take care.


----------



## AlexJames (Dec 3, 2003)

I didn't reverse the restore, I just manually deleted things and added things to get it back to the same point....
the same exact point with the same 4 things I cant get rid of coming up in spybot....


----------



## AlexJames (Dec 3, 2003)

Ok I am very confused.
I have much doubt I will be able to do this without a ME cd the way my luck has been....
also Im not clear on the sequence of what Im supposed to do...


----------



## AlexJames (Dec 3, 2003)

How's this, is there any software on the market , free or not, that I can get that will take care of this?
I know norton wont, and I know spybot wont...but it seems like there should be an antivirus software that can do this...


----------



## bandit429 (Feb 12, 2002)

Alex I tried to explain that restore was not the way to go,,,,you have a choice to make. These instructions are not intended to seem that we are impatient,,more to the note to get you to do the right things and stop second guessing. Cmon now,,,,,is there anyway you could sit there and deny progress has been made? Why hold up at the last step? I'm at a loss. Is there something you don't understand? Edit: As far as I know there is no software,,,,this is fairly new.


----------



## bandit429 (Feb 12, 2002)

One more thing I did forget,,,,We all understand that this is your computer and that you may have lots of pictures or programs and files that mean a lot too you. From the beginning you should know that risks are taking by posting here. Those are plentiful, We can only do our best to help you.


----------



## Mosaic1 (Aug 17, 2001)

Hi. I came back to check. 

Undo the restore you performed.

Then follow my two posts above ( #64 and #65) to create the two files. the reg and the bat 

Follow Bandit's instructions to make a boot disk and boot to the prompt.

When you get to the prompt 

Type 
C:\again.bat

and press enter.

After, remove the floppy from the drive and press Alt +ctrl + del to restart the computer.

Then once back in Windows, see if your problem has been resolved. 
If so, then flush all you restore points and create a new one for a fresh start.

That's it.


----------



## AlexJames (Dec 3, 2003)

There is a lot I don't understand and when someone tells you to do something "at your own risk" and you are totally ignorant about the thing they are telling you to do, then I think second guessing is in order...
I do appreciate your help and mosaic's ...But I'm not trying to "hold up the last step" ....


----------



## AlexJames (Dec 3, 2003)

Ok, thanks for the help guys


----------



## bandit429 (Feb 12, 2002)

I understand.  Mosaic posted check the other page,


----------



## Mosaic1 (Aug 17, 2001)

> I didn't reverse the restore, I just manually deleted things and added things to get it back to the same point....
> the same exact point with the same 4 things I cant get rid of coming up in spybot....


 Manually deleting things? That is not good. You have to uninstall programs, not just delete files and folders.

I have given you files and instructions. I have no more to offer. L2M is a shell extension and must be removed carefully and not while windows explorer is running because a shell extension is a part of the explorer shell.


----------



## bandit429 (Feb 12, 2002)

We all want the best for you Alex,,,,there are no promises. One thing is sure,, we are people who are not sneaking stuff on your computer......we have names,,,,,,we have been here for a bit. Do you see any of those spyware programs leaving addresses for you to contact,,,,,are they making an effort to help you? Did they ask you that this is gonna be installed at your own risk? H e double L no they didnt. I have to work tomorrow,,,Hope to see you soon, Im gone for the night. Take care.


----------



## NiteHawk (Mar 9, 2003)

Alex, there is another thing to keep in mind. Your post has been read over 524 times. Most people don't post if they see that the situation is going well and the advise is sound and taking you on the right path to resolve the problem. IF they think there is an error in the advise OR that it can be expanded upon, then they will add a comment.

Another thing to look at is the number of posts and the per centage of those posts that have been in a tech related forum.

Mosiac1 has been around since August of 2001, has posted 4,788 times as of this time, with 98.9% of those in a tech related field.

Bandit429 has been around since Feb of 2002, has 2866 posts, at this time, with 98% in a tech related field.

The nature of any message board type of help forum is that many people read and "double check" the comments and advise. 

Those that may happen to give bad advise are corrected by others. That has not happened here, has it? Also those that consistently give bad advise don't last long. Again, the nature of the beast is that it is "self policing".

Both Mosaic and Bandit are long standing members of TSG and highly respected by their peers.

Can anyone guarantee that nothing will go wrong? No. There are times when Windows seems to have it's own mind no matter how logical the approach. But then life itself comes with no guarantees.

You have been given very good advise, I would go with it.

Good luck


----------

