# Solved: freezing still



## raffikki (Apr 30, 2005)

I've had some great help from flavallee recently but am still having freezing problems.
So far I've unchecked LoadPowerProfile (x2) and SchedulingAgent at start up, I've also stoped Norton Antivirus 2005 automatically updating (because alot of the time it just stops responding)  
When I tried to re-boot yesterday I got a black screen with a flashing "-" in the top left corner and had to shut down. When I started up again there was NO scan everything was normal.
I've also changed the power options to always on and the rest to never.
I then tried to restart into safe mode to do a virus scan and got the blue screen with error: OE:0187:BFF8E64B. CTL + ALT + DELET wouldn't work and I hit "any key" and ended up with a black screen with japanese style figures across the top of the screen.
Eventually got into safe mode, ran the scan and it came back clean :up: 
I tried again to restart and it froze just after the windows sound as the desk top comes on.
After shuting down again it restarted with the scan disk.
Did a spybot - search and destroy scan and removed 27 objects.
flavalle seems to suggest more ram which I will look into, but are there other problems I might have?  
Here is my latest Highjack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:58 AM, on 3/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opendiary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer From OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab


----------



## GoJoAGoGo (Dec 26, 2002)

I don't know if this may be related with your freezing problems but I also use Windows ME and I found out if I don't keep my Video Graphics Drivers updated I will get startup and shutdown freezes very often like 3-4 times per week. I use NVIDIA Graphic Drivers and they are updated about every 3-4 months. Since I've updated my Graphic Drivers regularly, I've had a minimal amount of startup or shutdown freezes like 1-2 per month.

I suggest you check and see if your Video Graphic Drivers are up to date and see if this may correct your problem.


----------



## raffikki (Apr 30, 2005)

This is gonna sound dumb, but how do I check and see if my Video Graphic Drivers are up to date?


----------



## raffikki (Apr 30, 2005)

I tried Windows help to find the Video Graphic Drivers, I was directed to an online Microsoft Help and Support page: http://support.microsoft.com/kb/q258934/ 
Diamond Viper V330 Detected as Nvidia Riva 128
I tried to follow these instrusctions:
To manually update the driver:
1.	Click Start, point to Settings, click Control Panel, and then double-click System.
2.	Click the Device Manager tab.
3.	Click the plus sign (+) next to Display Adapters.
4.	Double-click the Nvidia Riva 128 device.
5.	Click the Driver tab, and then click Update Driver.
6.	Click Specify the location of the driver (Advanced), and then click Next.
7.	Click Display a list of all drivers in a specific location..., and then click Next.
8.	Click Show All Hardware.
9.	In the Manufacturers box, click Diamond.
10.	In the Models box, click Diamond Viper V330.
11.	Click Next, and then finish the installation.

When I clicked next to finish I got:

Update Driver Warning
The driver that you have chosen was not written specifically for the selected hardware and may not work correctly. Installing this driver is not recommemded. Are you sure you want to use this driver?

Of course I clicked No cause I have no idea whether I was doing it right?

edited to add that in the Display Adapters list there was only SiS, so I double clicked on that. After that everything was the same as the instructions


----------



## GoJoAGoGo (Dec 26, 2002)

Right click My Computer > Properties > Device Manager and click on the + sign for Display Adapters to find out what type of Graphic Driver you have. Then go to that Graphic Driver web site to download the latest Graphic Driver. If you do have NVIDIA Graphic Drivers, here's the link:
http://nvidia.com/content/drivers/drivers.asp


----------



## raffikki (Apr 30, 2005)

I did as you said and found Sis 630/730

Firstly I went to windows updat cause I remembered something under drivers, I hadn't d/led it before cause there was no info about it and didn't know what it did.
I d/led 
Sis display software update
released on January 08 2002

I then went to the SiS websote and did a scan they have to see what I have and what is available for me.

I got a list of d/l's:
Graphics UniVGA 
IDE SiS IDE Controller 
Audio SiS 7018 Audio Controller 
LAN SiS 900 Fast Ethernet Controller 

So far I have d/led the first (it took nearly 5 hrs!!) and put it Program files.
I'm gonna do the rest tomorrow and put them there too.

One big question though, do I just open them like any other program to install them?
Is there anything I need to be careful about?
Last thing I wanna do is put something in the wrong place and stuff everything up!


----------



## Rollin' Rog (Dec 9, 2000)

Look for a "readme" in the folder containing the files. This will often tell you how to install it. Some video driver installs are self-installing "exes".

Others require you to use the update/change wizard associated with the Display adapter in the Device Manager. In this case you use the "specify location" option and manually navigate to the folder which should contain a .inf file which is used to load the driver.

This page may prove helpful:

http://support.microsoft.com/support/kb/articles/Q131/8/06.ASP

By the way, video drivers are not the only possiblity here. Heat is another one. You may need to ensure the fan is working and blow out any dust in the computer case.


----------



## raffikki (Apr 30, 2005)

The first d/l was Graphics UniVGA the d/l was called 630_208a_win9x.zip. 
I extracted this to Program files.
It's in a folder called Win9x, which it created itself at extraction.
I had a look for a readme file but couldn't find one.
I tried the instructions but when I select that folder it doesn't recognize it??

I then tried method 1(a) "Search for a better driver than the one your device is using now (recommended)"
That located more than one driver "that may work for my hardware" 
SiS 630 C\:WINDOWS\INF\SIS630M.INF
SIS 630 C\WINDOWS\INF\OTHER\SISSIS~1.INF
Both have the same driver date 8-1-2000

So now I'm stuck.
What was it that I d/led? and how do I use it?
Should I d/l the other ones? and then try the same instructions?

I'm scared of really stuffing something up.


----------



## Rollin' Rog (Dec 9, 2000)

First just to cover this base, make sure the folder is competely extracted and not in the orginal zip container.

Then see if there is either an "exe" or a .inf file in the folder (such as the ones below). Typically if there is an .exe, it is a "setup" program you run directly.

If there is a .inf file, then the update wizard should find it if you have browsed to and selected that folder.

Either of these will work for you also, so you can give one of them a whirl:

SiS 630 C\:WINDOWS\INF\SIS630M.INF
SIS 630 C\WINDOWS\INF\OTHER\SISSIS~1.INF


----------



## raffikki (Apr 30, 2005)

Thanks Rollin' Rog 
I couldn't have extracted it properly, there was only 1 exe file but it couldn't find a .dll, I extracted it again into the same folder and the tried the exe and it will work (just have to finish an online scan before I run it completely)

Once I've run it I may be back with more questions (just a warning..lol)

Thanks heaps

raffikki


----------



## Rollin' Rog (Dec 9, 2000)

Good luck, I'll be back later this evening for a look see.

I'm kind of skeptical this is the source of the freezing issue, but there are ways to check, such as running in VGA mode.

Heat is still a prime suspect especially if the problem tends to occur after the system has been on a while or after intensive cpu usage.


----------



## raffikki (Apr 30, 2005)

I only ran the scan because this morning I've had nothing but trouble, 
when I first tried to connect to the internet after clicking on connect the message of "Valadating user password" stayed, I clicked cancel and then that stayed, I ckicked the x to close the connecting window and tried again and got:
Dial-up Networking
Another program is dialing the internet

I tried to restart but it froze, had to shut down.
The scan disk did it's thing at startup.

I opened Mozilla Firefox, the connection worked but comp froze as my start page was loading.

Restarted again everything was Ok until I tried to get into my ISP webmail, it wouldn't accep my defult usernam and password, but a different account was ok. 
On the third attempt I got in.

What you say about heat has me wondering as the computer was left on all night 

I tried to run the sutpe.exe it started fine, but then got this warning window:

Severe
Setupx.dll,InstalHinfSection Setup.DriverCopy 128 C:\PROGRA~I\WIN9X\WIN9X\WinMe\sis630m.inf

I clicked ok, then got:

Severe
Fail to execute .inf

I put all the files I'd extracted in the the recycle bin and when I tried to empty that, the recycle bin froze. I did CTL+ALT+DELETE and both the recycle bin and explorer had stoped repsonding. I tried end task for the recycle bin and got blue screen error:
File Name: VWIN32(05)+00000D3B
Error: OE:0028:C02A3F13

I "Hit any key" and the desktop came back and I restarted

This is the result of the Panda ActiveScan:
Adware:Adware/eZula 
C:\WINDOWS\SYSTEM\stub.exe 
Adware:Adware/SaveNow 
Windows Registry 
Spyware:Spyware/Bridge 
C:\WINDOWS\Downloaded Program Files\bridge.??? 
Adware:Adware/eZula 
C:\WINDOWS\SYSTEM\STUB.EXE 
Adware:Adware/FavoriteMan 
C:\WINDOWS\SYSTEM\Favorite.dll 
Adware:Adware/KeenValue 
C:\WINDOWS\Downloaded Program Files\imloader.exe 
Spyware:Spyware/Bridge 
C:\WINDOWS\Downloaded Program Files\bridge.inf 
Adware:Adware/WildTangent 
C:\Program Files\shockwave.com\BOUNCE\WebDriverSilentInstall.exe 
Adware:Adware/SaveNow 
C:\My Documents\ScreenSavers\wfallsfree.exe[wfalls.exe][BSAVEINST.EXE] 
Adware:Adware/SaveNow 
C:\My Documents\ScreenSavers\beachfree.exe[beaches.exe][BSAVEINST.EXE] 
Adware:Adware/SaveNow 
C:\My Documents\ScreenSavers\lakefree.exe[lakesetup.exe][BSAVEINST.EXE] 
Adware:Adware/SaveNow 
C:\My Documents\ScreenSavers\cupidfree.exe[cupid.exe][BSAVEINST.EXE]

Could these be part of my problems? How do I get rid of them??


----------



## Rollin' Rog (Dec 9, 2000)

You do have some old ad/spyware there, but since they do not show up in the Scanlog I think they are just residual entries and not a part of the current problem.

Right now I would be looking at the heat issue. Have you tried shutting down, removing the case and blowing out any accumulated dust? Then turn the system on and check to see if the fan is working. If you have a small table fan you can leave that blowin in on the open case and see if that helps with the stability and error messages you are getting.


----------



## tonkacat (Mar 7, 2005)

How many anti-virus programs do you have running? Norton, hHouscall, McAfee?


----------



## raffikki (Apr 30, 2005)

It froze on start up this morning again.
I tried CTL+ALT+DELETE and got the "System Busy" blue screen, then after "hitting any key" got a second blue screen "System either busy or unstable"

Rollin' Rog, I will try that today and see if it helps

Hi tonkacat, I only have Norton AntiVirus 2005 and ZoneAlarm (version:5.5.094.000) running.

Thank you both for answering  

edited cause I hit reply too soon..lol


----------



## HeddaLora (Oct 24, 2003)

I didn't see your earlier post, so I don't know what all you've tried so far. Here's a basic maintenance checklist that helps with system instability and speed. Try whatever's on there that you haven't tried yet.

-- Delete all temp files (c:\windows\temp\*.tmp, or on XP C:\Documents and Settings\username\Local Settings\Temp)

-- Delete temporary internet files (c:\windows\temporary internet files\*.*, or on XP C:\Documents and Settings\username\Local Settings\Temporary Internet Files)

-- If you use I.E., click on Tools, Internet Options, Delete Files, select "delete all off-line content", click OK

-- Click on Start, Programs, Accessories, Systems Tools, Disk Cleanup

-- Download AdAware, check for updates, run it and remove whatever it finds

-- Periodically empty the browser cache and the java plug-in cache

-- Download Diskeeper and defrag

-- Download, update and turn on SpywareBlaster and SpywareGuard (or your spyware removal tool of choice).


----------



## GoJoAGoGo (Dec 26, 2002)

Hi raffikki:

Were able to update your Graphic Drivers?


----------



## tonkacat (Mar 7, 2005)

raffikki I have been told that running more than one anti-virus program will keep the computer from running as it should. Maybe that is your problem? I don't know if you have deleted anything since you posted the HiJackThis Log, but McAfee was listed also. Three anti-virus programs fighting for control could cause conflicts.


----------



## raffikki (Apr 30, 2005)

HeddaLora , I've gone to run and typed %temp% and deleted what is in that folder.
When you say "Delete all temp files (c:\windows\temp\*.tmp" & "Delete temporary internet files (c:\windows\temporary internet files\*.*" do you mean for me to search for *.tmp" and "." and delete all?
I will do the 3rd and 4th things you mention now.
I do have Adaware and also SpyBot, I run them at least once a week.
How do I empty the browser cache and the java plug-in cache?
I try to Scan Disk and Defrag monthly, will do that tonight.
Are SpywareBlaster and SpywareGuard different form SpyBot and Adaware? Do I need both?

GoJoAGoGo , I finally realized what I was doing wrong with the Graphic Drivers, but when installing them some were actually older than the ones I had but there was an option to keep those. I'm pretty sure I did it correctly.

tonkacat , I have used numerous online scans, could they have left something? I have been using Norton for about 5 yrs now. I tried Trend Micro at the beginning of this year, but it caused everything to go really slow so I stuck with what I'm used to.


----------



## tonkacat (Mar 7, 2005)

raffikki maybe you should post another HJT log? I have Norton 2005. I also run Spybot S & D and Adaware every time I log off the net. So far I have had a lot of success keeping bugs out of my computer this way.


----------



## raffikki (Apr 30, 2005)

I just did another HJT scan

Logfile of HijackThis v1.99.1
Scan saved at 9:01:36 AM, on 6/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opendiary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer From OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,4,0,4247/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab


----------



## tonkacat (Mar 7, 2005)

I'm not an expert....

This is McAfee Anti-virus:
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...247/mcfscan.cab

Check out these:
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...uditControl.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9
(ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab 
Today 07:49 PM


----------



## raffikki (Apr 30, 2005)

Do you mean run the scan, check them then to click "fix checked"
Sorry for sounding dumb, but I'm new to this HJT program


----------



## GoJoAGoGo (Dec 26, 2002)

016 Entries are harmless as these are only virus scanners that are run and aren't antivirus program that provides full time protection. There is only 1 antivirus program running full time, it's Norton's and it's located in the Running Processes at the very top of the log.

You can remove the 016 entries from this HijackThis Log but they won't cause any problems if you leave them there.


----------



## raffikki (Apr 30, 2005)

I removed ALL the 016 entries  
I hope I haven't stuffed up


----------



## GoJoAGoGo (Dec 26, 2002)

Like I said it's OK to remove the 016 and it's OK to leave them as they are harmless. The next time you run an online virus scanner like trendmicro or mcafee, the 016 entries will return.


----------



## raffikki (Apr 30, 2005)

Thanks everyone for helping me out!

So far appart from the freeze up this morning it's been running pretty good 

I've done a ScanDisk in safe mode witch finished with no problems
I've done the "I.E., click on Tools, Internet Options, Delete Files, select "delete all off-line content", click OK"
I did a disk clean up
I've updated both Adaware and Spybot and will scan when I go off line in a minute
I've d/led Spyware Blaster and will update it if neccisary. *Do I need to start that when I go online or is it automatic?*
and lastley I've looked into Diskeeper and will d/l tomorrow when I come back online

The only things I have't done are
empty the browser cache and the java plug-in cache, I have no idea how to do that. If someone wouldn't mind giving me a bit more info I'd really appreciate it 

Delete temporary internet files (c:\windows\temporary internet files\*.* & Delete all temp files (c:\windows\temp\*.tmp
I have gone to run and typed %temp% then deleted everything there, is that the same??

and finally I haven't taken the back case off. That I'll do when the scans are all finished and I've turned everything off

Thanks again everyone :up: , I'll let you know if I have any problems tomorrow


----------



## GoJoAGoGo (Dec 26, 2002)

raffikki said:


> The only things I have't done are
> empty the browser cache and the java plug-in cache, I have no idea how to do that. If someone wouldn't mind giving me a bit more info I'd really appreciate it


To clear the Browser Cache in Firefox go to Tools > Options > Privacy Tab then click the "Clear Tab" next to "Cache".
I think you already mentioned clearing the cache in Internet Explorer but I will describe that in case you missed it. To clear the Browser Cache in Internet Explorer go to Tools > Internet Options > General Tab and under the Temporary Internet Files section click "Delete Files". The best thing to do in Internet Explorer is to set it to have your Cache emptied automactically everytime you close your browser. To do it this way click the Advanced Tab scroll down to the Security section and click in the box to put a check mark next to "Empty Temporary Internet Files folder when browser is closed"

To clear the Java Plug-in Cache go to Settings > Control Panel and double click the Java Plug-in Icon then click the Cache Tab at the top and then click "Clear".


----------



## tonkacat (Mar 7, 2005)

I would suggest you run defrag. It help tidy things when you have deleted files. I'm glad the computer is working better!


----------



## raffikki (Apr 30, 2005)

Unfortunatley when I tried to restart last night it froze again 
This time it was a black screen with a white box:

Ccapp
CCAPP caused a general protection fault in module USER.EXE at 0003:0007ae3

On the 3rd try I was able to finally restart then shut down.

This morning after it started up it froze when I clicked on the Mozilla icon. 
After shutting down it froze again at scan disk. 
On the 3rd attempt it did the scan and here I am 

I have a gut feeling that something is causing Norton to act up, but I'm not 100% sure.

Any more ideas??

edited to add that I did the disk defrag last night

edited again to add:

I tried to double click on the java icon and got this message


----------



## Rollin' Rog (Dec 9, 2000)

The error message really doesn't get us any closer to the source. "User.exe" faults are most typically the result of program conflicts or diminished resources -- however on startup, there is really not much in there that should account for it.

Other sources include memory faults (bad ram) and general processor instability, which still could be heat in this case.

There are a couple of software memory testers available that might be worth running.

http://oca.microsoft.com/en/windiag.asp

http://www.memtest86.com/


----------



## raffikki (Apr 30, 2005)

Rollin' Rog, I looked at the back case last night to see how to take it off.
Both fans were working, one sucking in and one blowing out.
I have to get some allen keys,today, to take it off and check everything.
I will check out those links now


----------



## raffikki (Apr 30, 2005)

I THINK my problems might be over :up: No freezing for a near 2 full days
I totally uninstalled Norton AntiVirus 2005, I remembered a few years back that I had to do this.
In the msconfig start up list 'Symantec NetDriver Monitor' no longer appears.
I also re-installed Java, because of the error message I got when I tried to double click on the icon.
(as well as doing everything you all suggested)

A HUGE Thank You to 
flavallee
golferbob 
GoJoAGoGo 
Rollin' Rog
tonkacat
and HeddaLora :up:  :up:

My last HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:02:49 AM, on 8/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\A4TECH\MOUSE\AMOUMAIN.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.opendiary.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer From OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4TECH\MOUSE\AMOUMAIN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe


----------



## GoJoAGoGo (Dec 26, 2002)

You're welcome and good to hear the freezing has stopped.


----------



## Rollin' Rog (Dec 9, 2000)

Great! Feel free to mark the thread "Solved" using the Thread Tools tab whenever you feel confident of the resolution.

Did you reinstall NAV, or does that last scanlog have a different version?


----------



## raffikki (Apr 30, 2005)

Unfortunatley my problems are with Norton AntiVirus 2005 

My last HJT log was after I uninstalled and re-installed it. 

Everything was running fine until I realized that although Live Update was set to automatic, there were a few things that weren't being d/led
IDS Program Update and Intrusion Detection Signature Update

I have tried everything that was suggested on thier web site but if anything things started getting worse 

It got to the point this morning that after 4 attempts to start my comp and 4 freezes, I decided to do a system restore. That just messed everything up and now it (Norton) can't find the virus definition file and wont do anything. Won't uninstal, run, update etc.

I've printed out dozens of pages to try and sort this out.

I'm gonna attemp 1 last time to uninstal it.

Hopefully I'll be back soon


----------



## Rollin' Rog (Dec 9, 2000)

Be advised "scanreg /restore" in Windows 98/ME is not the same as "System Restore" in XP/ME. Scanreg /restore reverts registry entries but leaves files and never should be used if you have a newly installed program which you want to keep.

I'm not 100 % sure this NAV 2005 remover is for your version, but have a look:

http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=


----------



## raffikki (Apr 30, 2005)

Thanks for the link Rollin' Rog 

I've managed to uninstall and then re-installed in "clean boot mode"

It caused lots of dramas to begin with cause I didn't have a list of things I wanted to run on start up..lol. After finally getting on here and disabling the correct ones things seem ok.

Norton is doing the auto update now and I'll leave it a while until I'm sure it's finished.
I've printed that link just in case! (and d/led the programs for removal in case I need them)

Thanks again, with a bit of luck I will finally be able to add to the title of this thread "SOLVED"


----------



## Rollin' Rog (Dec 9, 2000)

Hang in there


----------



## raffikki (Apr 30, 2005)

After trying everything here except uninstalling again, I'm wondering if my Norton wasn't like this before as I never tried to update manually 

It hasn't frozen since this morning :up:

Does anyone think theses things that aren't being updated are important  
(I added the screen shots of the error messages)

I'm ready to give up, I'm happy as long as it doesn't freeze.


----------



## Rollin' Rog (Dec 9, 2000)

I wonder if there might not be some conflict between ZoneAlarm and NAV's liveupdate.

Unfortunately sometimes just "disabling" ZoneAlarm isn't enough to test, and a complete removal is necessary. When done, this has to be done right to avoid problems.


----------



## raffikki (Apr 30, 2005)

This morning I tried again to update Norton, still the same with the 3 items.
I then tried to do a scan but got a blue screen with error: OE:0187:BFF82042
"any key" got me a black screeen. I tried CTL+ALT+DELETE and ended up with a multi coloured screen that was like my desktop all scrambled 

I shut down and it restarted *without* scan disk.

"*When done, this has to be done right to avoid problems.*" 

Rollin' Rog, 
do you mean that I should completley remove ZoneAlarm, and try to update? 
OR Remove BOTH ZoneAlarm AND Norton, then re-install Norton without ZoneAlarm on my comp?
If I do that do I then re-install ZoneAlarm?


----------



## raffikki (Apr 30, 2005)

Another error message which I haven't seen before.
I was having a look around here and trying to do a Panda ActiveScan.


----------



## Rollin' Rog (Dec 9, 2000)

The blue screen and the past "freezing" may be related. Both can point to a video driver problem. If this persists I would reinstall or update the Video drivers. The symptoms here: freezing, scrambled desktop, error with BFF* address tend to be Video related. But unless you keep seeing this I would ignore it for now.

I'm not sure either is related to Norton's failures. You can try "disabling" Zonealarm by shutting it off through its System Tray interface (you need to do this first if you want to uninstall anyway; you shouldn't uninstall it with it actually running). I don't think you need to reinstall Norton again unless the problem persists in a relatively clean environment.


----------



## raffikki (Apr 30, 2005)

I think I've sorted the Norton problem out, I uninstalled and re-installed with nothing running except Explorer. 
Tried the updates, got most, restarted (which froze with black screen and flashing *-* in the top left corner) 
Shut everything except Explorer again, updated again and got the IDS program updates 

Rollin' Rog, I've opened "system" in the control panel and gone to 
"Divice Adapters" then 
"Display Adapters" where SiS 630/730 is listed. 
I right clicked then selected "Properties" 
selected "Driver", and finaly clicked "update driver". 
The "Update Drive Wizard" opened
I selected "Automatic search for better driver (recommended)" and then clicked "Next".
The next window says "You are already using the best driver for this device" so I click next and close.
Am I doing it right?
Should I be looking somewhere different?

Sorry if I sound like I don't know what I'm doing.... but I really don't know what I'm doing..lol


----------



## Rollin' Rog (Dec 9, 2000)

You are doing it right. I would not reload the Video drivers at this time unless no other cause can be found for continuing freezes.

One workaround that is helpful in testing is to right click on My Computer and go to Properties > Performance > Graphics.

You should see a hardware accelerator there. Often reducing the acceleration a notch or two resolves video freezes. You will see some performance hit in doing this, but when it helps it is confirmation that the Video drivers need reinstalling or updating.

In most installations simply removing the Display Adapter from the device manager and rebooting causes the device to be redetected and the existing drivers to be automatically reinstalled.

But sometimes Windows does not locate the install file and you must update from the web.

These drivers can be found here:

http://www.sis.com/download/

They are under the IGP Graphics Drivers section; I cannot post it directly.


----------



## raffikki (Apr 30, 2005)

Hi again Rollin' Rog, I did as you suggested and move the accelerator back 1 notch.
I didn't notice any changes.
I d/led the IGP Graphics Driver last week but I'm not sure if when I did the System Restore yesterday, if it messed anything up  
Later this morning I tried to restart after d/ling and installing a Mozilla Firefox update.
I got a few different blue screens.

1st one said an error has occurred.
*File name: SYMEvent(01) + 0000BD17
Error: OE:0028:C00E01DF*

I tried CTL+Alt+DEL and the Close Program window popped up. All that was running was Amoumain, Zclient and Systray.

I tried CTL+Alt+DEL and got the 2nd blue screen:
*An exception has occurred at 0028:C0265211 in VxD VPOWERED(07) + 00000299. This was called from 0028:C00F2BE0 in VxD(01) + 00000640. It may be possible to continue normally.
*Press any key to attempt to continue.
*Press CTL+Alt+DEL to restart your computer.*

I pressed enter and got a black screen (I could hear the fans running)
After about 10 seconds I got blue screen no.3.
An error has occurred.
*File name: VNBT(02) + 00000AF5
Error: OE:0028:C182F98F*

I hit the space bar and got blue screen no4.  
*An error has occurred.
Error: OD:0000:00000000*
I hit the space bar again and got the same screen again.*An error has occurred.
Error: OD:0000:00000000*
I tried CTL+Alt+DEL and got the same blue screen again.*An error has occurred.
Error: OD:0000:00000000*
I decided to shut down and everything started normally (with no scan disk)

Now I'm really


----------



## Rollin' Rog (Dec 9, 2000)

The first vxd error is with Symantec Antivirus. The next two are with power management and networking vxd's respectively.

Why all three together, and then being able to start normally -- I don't know.

Have you taken apart that case to blow out any accumulated dust?

>> If you did a System Restore to a date prior to your video driver reinstall, yes you undid the install.


----------



## raffikki (Apr 30, 2005)

Yesterday I blew out the back( I didn't manage to get the entire back off though), and reinstalled the drivers because I figured becaue of the system restore it had been reversed like you said. 
It restarted ok and shut down ok.
This morning when I tried to turn it on it froze on start up(had to shut down) , froze when it was trying to connect to the internet(had to shut down), then froze again at start up. 
The 4th attempt was successful.

Should I give up?


----------



## Rollin' Rog (Dec 9, 2000)

I would put it in a semi "clean boot" mode. Disable everything in msconfig > startups except scanregistry and statemgr.

By the way, looking at that scanlog again, I notice both NPF and ZoneAlarm there. You could be getting a conflict with both.

Just be careful about your browsing and downloading habits. See if you continue to have these problems.

You might want to try installing a temperature monitor and see if it shows any unusually high temps after being on for a while.

Here's one, a bit geeky to configure, but it will give you a real time reading if your motherboard supports it.

http://www.majorgeeks.com/download.php?det=311


----------



## raffikki (Apr 30, 2005)

When you say "NPF" is that Norton Personal Firewall??
I only bought the Norton AntiVirus 2005, if NPF does mean Norton Personal Firewall, I didn't realize I had it  

I've d/led mbm5370.exe(temperature monitor) from the link you gave, I'm not sure what it is or how it works but I'll suss it out tomorrow.

I was also lookiing through the windows help files and came across "Dr Waston", the "Automatic Skip Driver" and the "System Information".
I ran ASD and it said no current ADS critical operation failures.
I ran the other 2 and have attatched both txt's if they are of any use. (I know they both contain a load of stuff in them and totaly understand if it's too much to read)


----------



## Rollin' Rog (Dec 9, 2000)

>> I was seeing this in the Scanlog and assuming it meant NPF was installed, perhaps it is just a residual entry, but then I would expect a startup error:

O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

>> I have never seen anyone get any useful information or help out of ASD. When it does give feedback it is impossible to decipher.

>> Dr Watson is occasionally useful, but I would not leave it running as the error messages it produces are different from the normal ones you would receive and can be more difficult to research. As a system information tool, there are others more helpful.

Your best bet now is clean boot troubleshooting using msconfig. Keep it simple.


----------



## raffikki (Apr 30, 2005)

Before shutting down yesterday, I d/led Cclean. (I read about it here and figured it wouldn't hurt to try it) It deleted 27MB of stuff.
This morning everything started ok.
I did a google search of NPFMntor.exe and found:
_What is the purpose of this computer program?
If you have Norton anti-virus installed, you will probably see NPFMntor.exe on your pc as this is for worm protection._
This is what I was having so much trouble with Live Updating, and finally got it sorted out Friday.
Do I need Zone Alarm since I have _worm protection_ with Norton
If it freezes again I'll try clean boot troubleshooting.

Thanks again for you patience and advice  :up:


----------



## Rollin' Rog (Dec 9, 2000)

I'm not really sure what that instance of npf does regarding "worm protection"; it may be a cut-down version of their larger firewall, since I don't see any other NPF entries there.

I would keep ZoneAlarm as it offers broader protection and if something does get in, and tries to get out, you should get notice of it, be it worm or trojan.

27 mb is a lot of stuff to delete, but even so it is hard for me to see how this could be a source of the problem if it doesn't involve starting processes and the drive otherwise had adequate free space.

You're welcome for the support, I don't get impatient, especially when I'm as interested as anyone in seeing where a problem ultimately leads.


----------



## tonkacat (Mar 7, 2005)

I am running Norton 2005 and Zone Alarm with no problems. I don't know if this has been addressed but Firefox has a known bug in it. There is a sticky note about it on this site, I think it's under security?


----------



## raffikki (Apr 30, 2005)

I'm not sure what I've (we've) done but so far there has been *NO* problems since Sunday morning :up:

Here's a list of what was done:
Fixed the problem with Norton (I was just lucky with that  )
Stopped *Explorer* having access to the Internet (ZoneAlarm)
Ran *Ccleaner*, *SpyBot*, and *Adaware*
Reinstalled the updated video driver
Cleaned out the dust
Reduced the hardware accelerator a notch (but it's now back to high)
I may have missed a few things but I think these were the main ones.

I'm think almost ready to mark this problem as *SOLVED* :up:  . I'll give it until tomorrow just to be sure.

Thank you soooo much Rollin' Rog 

tonkacat, I'll have a look for the post you are referring to now :up:


----------



## Rollin' Rog (Dec 9, 2000)

The old "shotgun" approach ...

Knock on wood then


----------



## raffikki (Apr 30, 2005)

Seems like I spoke too soon in my last post 

I went to the Security forum to have a look for the post tonkacat mentioned.
After reading the sticky posts I tried to click on the "search" button at the top of the page, got a tiny bit of what I think was like a drop down menu, tried clicking in it again and the damn thing froze up on me

I am wondering if I need to update something to do with Firefox  maybe


----------



## Rollin' Rog (Dec 9, 2000)

I'm still suspicious of the video driver; you can try dropping that back a notch or two again. And the "clean boot" option for simplifying things is still recommended.


----------



## raffikki (Apr 30, 2005)

I will drop it back now.
The clean boot I'l have to start tomorrow (got heaps to do this afternoon)
Everything except scanregistry and statemgr, right?
Do I then start Norton and ZoneAlarm manually? I'm scared of going on the internet with out thier protection.


----------



## Rollin' Rog (Dec 9, 2000)

I would leave both Norton and ZoneAlarm off for an extended test. Then enable Norton and see how it goes.

WinME is not really subject to exploit from just being online. Just be conservative and stick to trustworthy sites and avoid opening Email attachments unless you are expecting them.

Scanregistry and statemgr will preserve your ability to do a registry or system restore and neither is ever a source of freezing or other conflicts.


----------



## raffikki (Apr 30, 2005)

I put the accelerator back one notch. When prompted to restart it froze in the black screen (with the flashing curser in the top left corner..again)
I shut down and it started normally.

These are the things in msconfig to be unchecked:
Taskmonitor
SystemTray
WheelMouse
Zonelans Client
Symantec NetDriveer Monitor
Symantec Core LC
ccApp
True Vector
SchedulingAgent
ccEvtMgr
ccSetMgr
NPFMonitor
ScriptBlocking

I do have faith in you  but just wanted to check that they are all OK to remove from start up, I'm scared sh!tless that when I restart I won't be able to do anything!!

edited to add:
When I bought my new mouse (A4 Tech wheel mouse) from memory I had to uninstall something(drivers I think) and install a different one. 
Should I leave that in the start up


----------



## Rollin' Rog (Dec 9, 2000)

They are all ok to uncheck, however you can leave "system tray" which is normally innocuous.

You may lose some wheelmouse options, if that's a problem just re-enable it.

One question I have neglected to ask, which may be important, is what are your display settings for screen area and color depth?

Color depth is particularly important as the higher settings consume considerably more memory. If your video card/chip shares memory with installed ram this can cause resource issues at times.

Best not to set it higher than 16 bit "true" color. Typical screen area settings are 800 x 600 or 1024 x 768


----------



## tonkacat (Mar 7, 2005)

The Firefox sticky is in Email and Web. When my father in law downloaded Firefox, it caused all kinds of problems. We did find a bug, backweb? or something similar. He has WinME. However, my daughter has been using FF for a while with no problems on her WinME.


----------



## raffikki (Apr 30, 2005)

Rollin' Rog, I'll uncheck all except SystemTray, Scanregistry and Statemgr now.
I have never messed with the display settings, they are:
Colours: High Colour(16 bit)
Screen Area: 800 by 600 pixels
When I checked the other options the Colours can be 16 colours, 256 colours, High colour(16 bit) and True colour (32 bit). 
There were lots of tabs that I looked at display properties>settings>advanced, I don't THINK I've messed with any of them, but I guess there is always a possibility I got bored one day and went exploring..lol.

tonkacat, I'll have a look at the sticky post now before I have to restart.


----------



## raffikki (Apr 30, 2005)

I unchecked everything except SystemTray, Scanregistry and Statemgr.
When I clicked the "restart now" button it froze AGAIN (got stuck with the black screen and flashing curser).
I shut down, waited, then started up again ... no scan disk.
Now all I have by the clock is the volume control.
In CTRL+ALT+DELETE all that is showing is Explorer and Systray.
How long do I leave it until I put Norton back in start up?


----------



## raffikki (Apr 30, 2005)

I hit the "Post quick reply" button after writting the last post and nothing seemed to happen, I quickly copied what I wrote and then got a Zone Alarm Alert.

It had stopped internet activity because it discovered it wasn't running at startup, the same as if there had been a breech of security.
There was instructions about sorting it out but I just started it by going to start>programs>zone alarm.

Does this mean I should re-enable it at start up or uninstall it for a bit?

edited to add:
When I check CTRL+ALT+DELETE aswell as Explorer and Systray, there is now Vsmon and Zlclient


----------



## Rollin' Rog (Dec 9, 2000)

ZoneAlarm may have changed significantly since I last used it, but I think you can leave it disabled; if not go ahead and re-enable it to avoid the hassle.

Apologies if we've done this before, but let's do it again if we have.

Go to Start > run and enter:

*scanreg /fix*

These startup errors sound like a damaged registry, especially if they are occuring with a minimal startup configuration.


----------



## raffikki (Apr 30, 2005)

We haven't done the scanreg /fix thing yet.
Do I just follow any prompts and agree to everything/anything?


----------



## Rollin' Rog (Dec 9, 2000)

Yes, in WinME, unlike Win98, it can be run from start > run; a reboot will be prompted along the way,


----------



## raffikki (Apr 30, 2005)

OK, I typed scanreg /fix in "run", a small window poped up and did it's thing (can't remember if it was scaning or fixing) and it restarted by itself. That worked at least..lol
How do I know if it has done anything?
Is it just a case of wait and see?

Thanks again for your patience 

ps: If you know anything about IE, I've posted in the Digital Photography & Imaging forum. While trying to sort out an thumbnail problem I stuffed up IE


----------



## Rollin' Rog (Dec 9, 2000)

Yeah, it's just wait and see 

If you can go longer than the usual without a freeze, start re-enabling the unchecked msconfig items until you get back to normal. If you get freeze after enabling something, then backtrack and see how it goes.


----------



## raffikki (Apr 30, 2005)

Hi Rollin' Rog 

I've had nothing but drama last night and this morning..lol

I finaly got IE working. (this morning)
I emailed my ISP, after trying Windows Help>Internet Explorer Troubleshooter.
They emailed back with the settings for IE. I followed thier advise, didn't work. Restarted and tried the "repair" option again, restarted and got IE working.
Unfortunatley ZoneAlarm butted in and stoped WindowsUpdate. I started ZA but then got "The page cannot be found". I shut ZA off again and started the update again.

How do I add IE to the allowed programs in ZA?
I tried the "add" button but although the IE icon is on my desk top ZA doesn't recognise it?

On to my major problem, when I tried to shut down last night the screen went black BUT the green light near the floppy disk stayed on and the green light on the tower that lights up when programs are running was flashing continuosly. I had to manually shut down, tried again but the same thing happened. 
This morning when I turned it on it seemed alright but when I tried to ckick OK on the "start up trouble shooting" box(which i was sure I marked not to show me again) that was frozen. I tried CTR+ALT+DELETE but got the BSOD saying that the system was busy. Manually shut down again, It started with scan disk and now everything seems OK.

Lastley I did as you instructed with the fixpix.vbs file(for the prob with thumbnails) and put it in "Program Files". I double clicked it but nothing seemed to be happening, I right clicked and noticed it said "open" and also "open with MS-DOS Prompt". I tried the latter but didn't know what to do next. I clicked the "x" to close it but got a warning, then closed it anyway. A few seconds later got the Norton warning and did as you said and allowed it to run. Got another small window and clicked ok on that.
The thumbnails still aren't showing as pics though


----------



## Rollin' Rog (Dec 9, 2000)

I only have a very old version of ZA on my Win98 machine. If you right click on the icon in System Tray and select the "control center" there, you should get a set of tabs, one of which is for "Programs". On that list are the various applications which have sought to go through ZA and they can be allowed or disallowed from the properties assigned there. I see Windows Internet Explorer is one of them on mine, as is Explorer, which for some reason also needs access in Win98. I expect your configuration options to be rather different though, as this is a very old version.

I've found a "thumbs.reg" file I've zipped up. It was on my 9x folder of registry patches. I've uploaded it here. Download and unzip it fully then double click it to merge it to the registry. Hopefully it will do the job. If it makes things worse, and I don't expect it will, you can restore a prior registry.

If it doesn't work, then I don't think it's a registry problem. Do make sure you have "view as webpage" enabled in the View tab for the folders that have the thumbnails.

Also, in WinME, there is, like XP, a thumbnail "cache" that can become corrupt. When this happens it can be deleted or the pics moved to a new folder. This file is called "thumbs.db" but may not normally be visible unless system and hidden files are also visible. It gets recreated when deleted. If you can't find it, just move your pics to a new folder and see if the previews show up there.

Also, I/we, may be misunderstanding the problem entirely. There are two types of thumbnail option. One that displays a preview when you mouse over or select an icon, and the other that produces a full set of thumbnails in the folder. This second one is enabled somewhat differently. You must right click on the folder and ensure "enable thumbnail view" is checked in the properties settings.


I guess we still don't know what's going on with the other problems, perhaps a bad hard drive cable or something equally obscure.


----------



## raffikki (Apr 30, 2005)

Thanks Rollin' Rog 
I'll print your last post and do what you suggested with the thumbs.zip
I forgot that you also asked for a new HJT log, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:19 AM, on 19/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer From OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## Rollin' Rog (Dec 9, 2000)

I don't see anything in the Scanlog that would inhibit IE, such as a proxy setting, and you seem to have narrowed that down to ZoneAlarm for some reason.

On the thumbnail questions, do re-read my recently edited post for other possibilities.


----------



## raffikki (Apr 30, 2005)

A couple of things about the thumbnails before I try the zip file.
1. I tried right clicking on the "my pictures" folder, went to properties and the only things that are checkable are the attributes...read only(which is ticked), hidden and archive?
2. In the "my pictures" folder there are 2 things in there that I figure that don't belong. There is(or at least was until I just checked now) the file you mentioned(thumbs.db) I cant remember what the other one was.


----------



## Rollin' Rog (Dec 9, 2000)

Ok, on the properties, I may be assuming WinME is like 9x for this, but maybe not since it uses thumbs.db like XP

You may be able to rename thumbs.db; if so you can give that a try rather than deleting it. It belongs there, it's just that it can cause problems when corrupt.


----------



## raffikki (Apr 30, 2005)

I searched for thumbs.db (since it is no longer in "my pictures" even though folders are set to "show fiden files and folders") I couldn't find it on my computer 
I put the zip file in "program files" and when I went to extract it it wanted to extract to C:\Program Files\Win9x, is that the correct place? Isn't that the video driver I updated?
Sorry for sounding so confused.
I finaly fixed the IE problem though  :up: 
I allowed Explorer access in ZA, but couldn't find IE, I tried to add it (in program control) but that didn't work either. Finally I uninstalled ZA and reinstalled it. IE is now working perfectly.


----------



## Rollin' Rog (Dec 9, 2000)

I don't know why it's trying to extract to there, it's a normal, not self extracting zip and I didn't set any paths with it. Perhaps your zip program is somehow extracting to the last folder it used.

In any case you can just move or copy the .reg file anyplace you like. It doesn't matter where it's run from.

Glad to see you got the IE thing sorted out. ZoneAlarm can sure be a bane sometimes, though I can't say I've ever had any problems with the old version I'm used to.


----------



## raffikki (Apr 30, 2005)

I extracted it to "program files" where it asked if I wanted to replace the one that already exists, I clicked yes.
Now in "my pictures" the two different folders are back, the thumbs.db (size 187kb modified today) and Desktop.ini (489bytes also modified today)
Most of the thumb nails are still showing as the file type instead of the picture.
I looked in a few other folders the have pics in them and tried deleting the thumb.db some pics show ok others look like icons same as in "my pictures"
It doesn't really matter, I just thought I'd try to fix it>

I've tried shuting down again and the same thing that happened last night happens again, black screen flashing green light at the floppy disk, I checked misconfig>start up and TrueVector is checked again. I'm gonna uncheck it now and see if it helps.


----------



## raffikki (Apr 30, 2005)

I've just been searching around for a few answers and was wondering what you thought.

1. Here http://secunia.com/advisories/9459/ I read that TrueVector can cause crashing.

2. Here http://www.maths.soton.ac.uk/~ap/windows/#explorer-thumbnails It says:

To restore broken Explorer thumbnails for image file types, use the following commands:

* In WinME:
regsvr32 %windir%\system\thumbvw.dll

I'm not sure what where to use these commands, any idea?


----------



## Rollin' Rog (Dec 9, 2000)

The Secunia article refers to a security issue that would only apply to XP/2K/NT systems where there is a hierarchy of priveleges/permissions that applications and processes run under. WinME does not have this.

However the shutdown issue could well be related to "truevector" regardless.

The regsvr32 command would be good to run, I'd forgotten about that one. To run it, go to start > run and enter

regsvr32 thumbvw.dll

and you should get a message that the dll was successfully registered.

You seem to be reporting that "some" image files display properly and some do not. Does this have to do with file type, or does it seem a random thing?

And if random, how were these images created? The software used can make a difference. This would then be an issue that belongs back in the Digital Photography forum probably. I believe I've seen it addressed but I will have to do some searching to see if I remember the issue correctly.

*edit* oops, I just see you marked that oned "Solved" 

The registry patch you ran addresses the entries covered here:

http://support.microsoft.com/kb/q192573/

You did need to do more than extract it, however. You must double click the .reg file and confirm the merge to the registry when prompted.


----------



## raffikki (Apr 30, 2005)

Rollin' Rog, I unchecked TrueVector at startup(again...maybe cause I reinstalled ZA it changed the settings) 
I have left ZA starting though.
I've shutdown and restarted with no problems since (touch wood  )
I've noticed that even though it's disabled when I press CTR+ALT+DELETE it *is *in the "close program" window. 
I'll leave it about a week before I start enabling Norton just to be sure.

The thumbnail problem was random,(.jpg, .jpeg, .gif, the majority were showing as large icons but since I dragged all in to the new folder (which I renamed to "my pictures" after deleting the original) they are now *all* OK :up:  
I've checked all the other folders that have pics in them and 95% are showing correctly. The others I renamed to either .jpg or .jpeg (opposite of what they were)


----------



## Rollin' Rog (Dec 9, 2000)

It's sounds like you've got the image previews in hand, I suspect a corrupt thumbs.db file if they rebuilt properly in a new folder.

Other issues can result from the type of image compression used. Not all applications do it the same, even though they give it the jpeg extension.

You may need to completely uninstall ZoneAlarm to test its involvment properly. It is certainly one program that can be implicated in both startup and shutdown problems.


----------



## raffikki (Apr 30, 2005)

I seem to always speak too soon  

I had problems loading web pages again, I was getting the ZA alert page.
I then tried turning it off but it wouldn't.
I uninstalled ZA but when restarting my comp froze.
I shut down and after a scan disk, I checked msconfig>startup and clicked the "clean up" button after which I got another BSOD:

An error has occurred
File Name: IFSMGR(01) + 00002007
Error: OE : 0028 : C00353E7

I hit "any key" and got a black screen, but the fans were still running.
I shut down, started again, got scan disk.
I tried CTL+ALT+DELETE again to see what was running... Explorer, Systray and Scangerw.
I tried reinstalling ZA but the .exe's (I tried all I have, dating back to 2002) all stopped responding.

I have just tried to D/L ZA but after trying to run a scan they suggest first, IE stopped responding.  
I'm going to try again after I post this.

edited cause I got everything in the wrong order of events..lol

edited a 2nd time to say I tried again and the same thing happened.
IE froze. I tried CTL+ALT+DELETE and Explorer and Systray there is now *Navw32* and *lexplore*  None of my Norton things are meant to be running


----------



## raffikki (Apr 30, 2005)

After my last post I decided to look through Windows "Help and Support"
I started the "Startup and Shutdown Troubleshooter"
It got me to do the following:

_To check the Startup log file

Click Start, point to Programs, point to Accessories, and then click Notepad or use another text editor to open the *Bootlog.prv file*. This file is located in the root folder of your hard disk (usually, C:\). 
Look for text indicating that a device failed._

In this note pad I found the following *failed* devices:
(I've copied these directly, cause I don't know what they are)

*[000BBCED] Dynamic load failed : [000BBCED] File not found
[000BBD6F] INITCOMPLETEFAILED = SIS630M
[000BBD9E] Removing Unknown ()
[000BBD9E] Removed Unknown ()
[000BBCB7] Starting Unknown (HTREE\RESERVED\0)
[000BBCB7] Started Unknown (HTREE\RESERVED\0)
[000BBCB7] Starting Unknown (HTREE\ROOT\0)
[000BBCB7] Started Unknown (HTREE\ROOT\0)
[000BBCB7] Enumerating Unknown (HTREE\ROOT\0)
[000BBCB7] Enumerated Unknown (HTREE\ROOT\0)
LoadFail = MVTrans.DLL Failure code is 0002
*

Does any of this mean anything to you?
Could any of this be the cause for my problems?


----------



## Rollin' Rog (Dec 9, 2000)

An error has occurred
File Name: IFSMGR(01) + 00002007

"IFSMGR" errors relate to the file system. I've seen them occur when the processor is unstable, sometimes due to heat. Drive instability or flakiness may be another source.

The SiS630M reference would be something for the graphics driver. As for the MVTrans.DLL, I can only assume this is related since the two seem to be found together in searches where folks have raised the same concerns:

http://groups-beta.google.com/groups?q=MVTrans.DLL&hl=en&lr=&sa=N&tab=wg

I'm inclined to think this is not a source of any particular problem but I could be wrong.

Hard to know what this is referring to:

[000BBCB7] Starting Unknown (HTREE\RESERVED\0)

The registry key, as I understand it, though present in Win98/ME, is not actually used -- being reserved at the time for for later operating systems.

There is one place we haven't gone and if you continue to get unexplained errors or freezes we might want to give it a whirl.

This is to startup in Safe Mode, go to the Device Manager and look for "duplicate" entries for the same item. When this happens one of them is a "ghost" and recommended procedure is to delete both and let Windows sort it out on reboot. In the case of a display adapter you may find yourself reinstalliing the current driver.


----------



## raffikki (Apr 30, 2005)

I finally gave up trying to do the scan with ZA and d/led it using Mozilla Firefox.
I am yet to install though.
I then decided to d/l AVG 7.0 Proffesional (trial version)
I ran the scan and it found *TROJAN HORSE MUSICSEARCH*
Another posibility of my problems maybe 

[WEBQUOTE=""]This is to startup in Safe Mode, go to the Device Manager and look for "duplicate" entries for the same item. When this happens one of them is a "ghost" and recommended procedure is to delete both and let Windows sort it out on reboot. In the case of a display adapter you may find yourself reinstalliing the current driver.[/WEBQUOTE]

I'll check into this now 

Thanks again :up:


----------



## Rollin' Rog (Dec 9, 2000)

Depends on where it found it; since there was nothing suspicious in running processes at last look, it was probably non starter.

Since you have WinMe a common place for antivirus programs to turn up infections is in the System Restore volume/archive. Usually this has to be turned off to purge it, then rebooted and turned back on. Another place can be the Internet temporary cache.


----------



## raffikki (Apr 30, 2005)

It was found in 
C:\WINDOWS\Downloaded Program Files\mp3_Plugin.exe
AVG said it deleted it.

edited to add another pic from AVG


----------



## raffikki (Apr 30, 2005)

This thread is getting really long  

I went in to safe mode and had a look at the device manager 
(right clicked my computer>properties>device manager)
I looked at everything in there and found the following:

Sound,Video and Game Controllers:
2 x Microsoft Streaming Tee/Sink-to Sink Converter

System Device:
4 x ACPI IRQ Holder for PCI IRQ Steering
2 x Motherboard resources

Controllers:
2 x SiS 7001 PCI to USB Open Host Controller
2 x UBS Root Hub

I haven't yet deleted them cause I wanted to check with you first  

For 24 hrs I've had no freezing/BSOD or Errors.  
I am yet to reinstall ZA(I am a bit nervous about things accessing the Internet) or add more back to startup (Norton ect)
I do have AVG starting though.


----------



## Rollin' Rog (Dec 9, 2000)

> All of these are normal:

System Device:
4 x ACPI IRQ Holder for PCI IRQ Steering
2 x Motherboard resources

Controllers:
2 x SiS 7001 PCI to USB Open Host Controller
2 x UBS Root Hub

I'm not sure about the first, but it is not likly to be involved in any problems; I don't see it as something that would consume critical resources.

> The virus AVG found was in the same folder that holds "active x" files, displayed as 016 entries in HijackThis. But it was not of the type that HijackThis is set to display. There was no indication it was actually running and may have just been a residual from a previous clean up, or just a partial install.

As for Zone Alarm, I would't be too concerned about reinstalling quickly it if you are doing well without it. But there are also some other free firewalls available, though possibly not as easy to configure as ZA.

It would be nice to know for sure if these freezing, shutdown, or restart problems are primarily happening only when ZA was installed.

I've included links and manuals in the Security Help Tools thread here:

http://forums.techguy.org/showthread.php?s=&postid=663486


----------



## raffikki (Apr 30, 2005)

Thanks Rollin' Rog 

I'm still freeze/BSOD and Error *FREE* :up: 

I do have problems running online scans with IE, when I click CTL+ALT+DELETE I see Navw32. I click "end task" and the scans come good.

I'm tempted to uninstall AVG, as I only wanted it for a scan, then load Norton back up at start up and see what happens. 

I will now check out the firewalls in your post.

Thanks again for helping me with this


----------



## Rollin' Rog (Dec 9, 2000)

Can you do a search for navw32.exe, right click on it and select Properties > Version?

I don't recall seeing it previously in your scanlog and it may not be associated with your current NAV installation.

It may instead be a trojan.

http://www.bleepingcomputer.com/startups/Navw32.exe-8945.html

Post another HijackThis scanlog as well -- with nav32 running in the Close Programs window, if possible.

also:


> IE froze. I tried CTL+ALT+DELETE and Explorer and Systray there is now Navw32 and lexplore


Is that iExplore or Lexplore?


----------



## raffikki (Apr 30, 2005)

Sorry for the delayed reply. 
I was trying to run an on-line scan (housecall) last time I posted.
(I had already closed the Navw32) 
The scan ran but when I tried to get back on-line to see the results
(there were 8 things found  ) 
there was supposedly something already dialing a connection, then everything froze. 
BSOD saying there was an error or program waiting to close.
I was just now trying to get Navw32 to show in "close program", 
and it only did once I clicked *Yes* to d/ling the ActiveX thingy, 
using the McAfee on-line scan. 
I tried then to cancel the box but it froze.
Pressed CTL+ALT+DELETE again and it also froze.
3rd time I ended the Navw32 and everything went back to normal.
I got a pic of the "close program" box 
and did a HJT log when the boxes were frozen.
I search for navw32.exe and found only 1.
File version: 11.0.9.16
Product Version: 11.0.9

edited to add:
I'm pretty sure it's a little L in the lexplore.
There are other programs that have "i" in them 
eg: "Tech Support Guy Forum - Edit Post - Mozilla Firefox"

Logfile of HijackThis v1.99.1
Scan saved at 4:55:30 PM, on 22/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer From OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab


----------



## Rollin' Rog (Dec 9, 2000)

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE

This is indeed the Symantec file. But I don't know how it is starting since you apparently have all Symantec entries unchecked in msconfig. If you are going to run AVG, you should uniinstall NAV. Or if you want to run NAV, disable or uninstall AVG.


Also search for Lexplore.exe and delete any examples found. Do not delete Iexplore.exe unless it is found OUTSIDE the Internet Explorer folder (the only legitimate copy should be in Program Files\Internet Explorer)


----------



## GoJoAGoGo (Dec 26, 2002)

Hi raffikki:

I haven't posted in your thread for a while but have been following it. Your HijackThis log shows you been Hijacked. This could explain why "something was dialing a connection" and then your system froze.

O14 - 'Reset Web Settings' hijack as shown in the HijackThis Log Overview:
http://www.spywareinfo.com/~merijn/htlogtutorial.html

The following entries need to be removed from your HijackThis Log:
*O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.optusnet.com.au/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/upgrade.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer From OptusNet*


----------



## raffikki (Apr 30, 2005)

Hi GoJoAGoGo & Rollin' Rog  ,
I did as you said and "fixed" those entries.
I am yet to open IE, cause I haven't reinstalled ZA, I'm nervous  
I uninstalled AVG but haven't yet enabled Norton  
I seached my computer for lexplore and found nothing, 
I searched for iexplore 
4 were in C:\WINDOWS\HELP
1 was in C:\WINDOWS\APPLOG 
the last was in C:\ProgramFiles\InternetExplorer 
All I have checked at misconfig>startup is:
ScanRegistry
System Tray
*StateMgr

Here's my latest HJT log if you need it:

Logfile of HijackThis v1.99.1
Scan saved at 7:35:25 AM, on 23/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4494/mcfscan.cab


----------



## GoJoAGoGo (Dec 26, 2002)

Hi raffikki:

Did you reboot after you removed the entries? If not reboot then post another HijackThis to see if the entries return. I'm no HijackThis expert but those entiries were definitely bad Hijackers. I notice those entries appeared in your very first HijackThis Log of this thread and I didn't realize until today. Hope this helps you out.


----------



## raffikki (Apr 30, 2005)

I did reboot as I also uninstalled AVG after removing the entries.
That last HJT log was AFTER the reboot.
Should I open IE, then post a new log?


----------



## GoJoAGoGo (Dec 26, 2002)

OK then since the entries haven't appeared after rebooting I believe they are gone. Yes, open IE and then post another HijackThis Log.


----------



## Rollin' Rog (Dec 9, 2000)

The host name is: welax10-164.dialup.optusnet.com.au.

Not a Hijacker, but don't worry there is no harm in removing those entries.


----------



## raffikki (Apr 30, 2005)

I opened IE and got a blank page, in the address bar it says: *about:blank*
Can I reset my IE home page 

Here is a HJT log with both IE and Mozilla Firefox open:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:57 AM, on 23/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4494/mcfscan.cab


----------



## GoJoAGoGo (Dec 26, 2002)

Yes, go ahead and reset your IE Home Page.


----------



## raffikki (Apr 30, 2005)

Thanks GoJoAGoGo :up:

Do you think I need to check my IE security settings because of all this?
Should I either reinstall ZA or allow Norton back up at startup?
Or both?
I'm not sure if this was the cause of all my previous problems 
or just the ones with IE 

edited to add a new HJT log just in case.
optusnet IS my home page

Logfile of HijackThis v1.99.1
Scan saved at 9:28:35 AM, on 23/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\DOUBLE SOLITAIRE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4494/mcfscan.cab


----------



## GoJoAGoGo (Dec 26, 2002)

Yes check your IE security settings and install an antivirus program and ZA. Personally you may be better off to use another antivirus since Norton causes many problems for most users. I also use Windows ME and used Norton Antivirus for 2 years before I switched to AVG. Norton Antivirus would cause an error sometimes when I used my System Restore and the only fix was to uninstall and then reinstall Norton. Also Norton uses a lot of System Resources.


----------



## Rollin' Rog (Dec 9, 2000)

Let me say it again since it doesn't seem to be absorbed. Those were NOT hijacker entries, they were customized ISP search and homepages. Your ISP is optus, is it not?

http://www.optus.com.au/portal/site...toid=c7c9b5831cf2cf00VgnVCM1000006801540aRCRD

No harm in the deletions, but they were never a problem.


----------



## raffikki (Apr 30, 2005)

Thanks again GoJoAGoGo 
I checked the settings in IE
*Security*: All zones are set to custom  is there anywhere that there is a reference that I can check to make sure that they are set right?
*Privacy*: is set to High

I d/led AVG(trial) to see what it was like, I still have months left for my
Norton subscription but will definitely change when it expires.
Does AVG do everything automatically? eg: email scanning and updating?
Does AVG work good with ZA?

I'm going to reinstall ZA now, wait a few days and if there are no problems 
with freezing etc, I'll let Norton back in startup.

If you think I'm nuts please let me know

edited: 
Sorry Rollin' Rog I missed your last post before I replied.(I'm really slow at typing)
Yes Optus is my home page.
Was 
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/upgrade.html
Ok too  
*O14 - 'Reset Web Settings' hijack*
from http://www.spywareinfo.com/~merijn/htlogtutorial.html


----------



## raffikki (Apr 30, 2005)

I've already edited my last post to appologize Rollin' Rog 

I've just tried another scan with Trend Micro.
I did the CTL+ALT+DELETE again, same problem with Navw32 and lexplore (or I, i
m not 100%)
I ended both, and am trying the scan but will NOT go offline and see what happens this time
I did a google search for Lexplore and found this sight, do you think it applies to my problem?
http://www.askmehelpdesk.com/forum/archive/t-1473.html

Sorry if I'm becoming a pain in the A**, you want me to uninstall Norton?


----------



## Rollin' Rog (Dec 9, 2000)

No problem on your end, I just expected "gogo" to acknowledge the mistake.

I don't think you have an Lexplore.exe, I suspect Iexplore.exe was running or opened in order to run an active x scan. But just search the drive with "show hidden files" enabled in Folder Options > view to make sure.

These are typical, safe, security settings:

Internet Options recommended Security settings

Click the "Security" tab:

Verify the "default" level is set on "Medium" 

Click the "Custom Level" tab and verify the following configurations:

ActiveX Controls & Plugins

Download Signed ActiveX Controls
--- prompt

Download UNsigned ActiveX Controls
--- disable

Initialize and script ActiveX Controls NOT marked as safe
--- disable

Run ActiveX Controls and Plugins
--- enable

Script ActiveX Controls marked as SAFE
--- enable


----------



## raffikki (Apr 30, 2005)

Thanks Rollin' Rog 
I haven't had any freezing/errors for a couple of days now :up: 
Norton is still not in start up, I'm going to try enabling it now  
Zone Alarm is also not installed and I think I'll leave it like that!
I d/led Sygate Personal Firewall but will wait a few days before installing to make sure everything is OK with Norton.
I checked my security and disabled what you said too, a couple were set at _prompt_

I managed to do 2 on-line scans. (after shutting down Navw32 and l(I?)Explorer

HouseCall found GameSpy and removed it.

PandaActiveScan found:
Adware/eZula in Windows Registry 
Spyware/Bridge in C:\WINDOWS\Downloaded Program Files\bridge.??? 
Adware/Adsmart in C:\WINDOWS\sys???.exe 
Adware/FavoriteMan in C:\WINDOWS\SYSTEM\Favorite.dll 
Adware/Adsmart in C:\WINDOWS\SYSMON.EXE 
Adware/KeenValue in C:\WINDOWS\Downloaded Program Files\imloader.exe 
Spyware/Bridge in C:\WINDOWS\Downloaded Program Files\bridge.inf 
Adware/WildTangent in C:\Program Files\shockwave.com\BOUNCE\WebDriverSilentInstall.exe 
Adware/SaveNow in C:\My Documents\ScreenSavers\wfallsfree.exe[wfalls.exe][BSAVEINST.EXE] 
Adware/SaveNow in C:\My Documents\ScreenSavers\beachfree.exe[beaches.exe][BSAVEINST.EXE]  
Adware/SaveNow in C:\My Documents\ScreenSavers\lakefree.exe[lakesetup.exe][BSAVEINST.EXE] 
Adware/SaveNow in C:\My Documents\ScreenSavers\cupidfree.exe[cupid.exe][BSAVEINST.EXE]

Should I Just Delete these things? The last 4 are screensavers I d/led and don't use anyway.

Thanks again for your help, I hope I haven't caused any drama's


----------



## GoJoAGoGo (Dec 26, 2002)

raffikki and Rog:

I apologized for my error and hope it didn't cause any setbacks.


----------



## Rollin' Rog (Dec 9, 2000)

Gojo, I'm sure no problems resulted -- if you're sqeamish about clicking on a suspect link, just try running the domain name, in quotes, through Google and that should pull up any clarifying info.

eg: http://www.google.com/search?hl=en&q="optus.net"&btnG=Google+Search

raffikki, had you run a Panda scan before, because there should be no reason to be picking up new infections like that, if they are new, unless someone else is using the computer and going where they shouldn't be going?

By all means, delete them all -- however you will not find the ones in the Downloaded Programs folder if you look manually. Panda or AVG should be able to delete them if they find them.

I can give DOS instructions that you can probably run from within Windows, if necessary.


----------



## raffikki (Apr 30, 2005)

Rollin' Rog, 
I had run Panda before but always encountered problems with IE before the scans finished. This was after I thought Norton wasn't working properly over the last few weeks.
Nobody else has used this computer and I've only gone to my start page(ISP), come here and gone to sites that I do Footy Tipping with. 1 being through my ISP the other is the web site of my local amature club. I have done (or at least tried to do) online scans, and lastley done google searches for computer related things.

Panda didn't remove any of them.
I have removed all traces of the screensavers, or I'm pretty sure I have.
I have attatched the log if it helps.

I'm about to give up with Norton though 
I tried enabling all the Norton/Symantec at start up.
It restarted OK.
Tried live update and it wouldn't/couldn't get all of the updates.
I restarted again hoping it would help.
Tried live update again and my comp *froze* and had to shut down.
I ran thier support assistant and it says that symevnt isn't running.
I checked in misconfig>start up and it's not listed.
I went to Static VxD's to check it there and it's already checked.
I've uninstalled as per thier instruction, reinstalled and now I keep an error I've also included here.

My keyboard started to stop working(couldn't type this reply) and once I shut down Nmain it came good. I've also includes a screen shot of this.


----------



## raffikki (Apr 30, 2005)

A bit of an update 
I finally managed to get Norton fixed (for now at least..lol)
I updated using "inteligant updater" from symantec.
I scanned and the only Adaware it found was:
File name: bridge.inf
Threat Name: Adaware.WinFavorites
Action: Adaware found
Status: At Risk

It DIDN'T do anything about it though 
I clicked on the links provided and found this
http://securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html
Should I do exactly as it says with the "regedit"?

I'm going to have a look for all the stuff ActiveScan found now


----------



## Rollin' Rog (Dec 9, 2000)

Since the Panda scan had not completed previously, then I expect these had been on the system.

Go ahead and use regedit to see if those entries are present per the Symantec article, and delete the ones that are.

If Symantec is not providing the option to delete the adware files found in the "Downloaded Programs" folder, do this --

Go to Start > Run and enter *command* and a command window should open.

At the prompt type and enter each line, be sure to include the quotes:

*del "C:\WINDOWS\Downloaded Program Files\bridge.dll"

del "C:\WINDOWS\Downloaded Program Files\bridge.inf"

del "C:\WINDOWS\Downloaded Program Files\imloader.exe"*

The other files should be visible and can be found and deleted manually.

However c:\windows\sysmon should be checked for Properties > Version (right click and select)

There is a Windows system file called sysmon.exe which is the "system monitor". It is not required and buggy as well, so no harm in deleting it, but check anyway.


----------



## raffikki (Apr 30, 2005)

Hi Rollin' Rog  
Well there still hasn't been any major freezes/BSOD/Errors (apart from the little hiccup yesterday)  
I haven't reinstalled ZA but am tempted to install Sygate Personal Firewall cause I'm still really nervous being on the net.
I ran Spybot yesterday and it found WildTangent. It fixed it OK, but it wasn't there the day before when I scanned.

I followed the directions from the symantec link and found NONE of the things I was looking for, I guess that is good right :up: 

I also tried 


> Go to Start > Run and enter command and a command window should open.
> 
> At the prompt type and enter each line, be sure to include the quotes:
> 
> ...


At the first I got: _file not found_
at the other 2 I got: _path not found_

I must have done it wrong  
I typed exactly as you wrote, would it be better to do it in safe mode maybe?

I did another ActiveScan after removing what I could and the list is considerably shorter :up:

Adware:Adware/eZula in Windows Registry 
Spyware:Spyware/Bridge in C:\WINDOWS\Downloaded Program Files\bridge.??? 
_Adware:Adware/WildTangent in Windows Registry (I am asuming this is what Spybot deleted) _ 
Adware:Adware/Adsmart in C:\WINDOWS\sys???.exe 
Adware:Adware/Adsmart in C:\WINDOWS\SYSMON.EXE 
Adware:Adware/KeenValue in C:\WINDOWS\Downloaded Program Files\imloader.exe 
Spyware:Spyware/Bridge in C:\WINDOWS\Downloaded Program Files\bridge.inf 
Adware:Adware/FavoriteMan in C:\Recycled\Dc7.dll


----------



## Rollin' Rog (Dec 9, 2000)

I thought I had seen "wild tangent" in one of your previous scans; in any case I don't concern myself with it as it is a "gaming" install that some online gaming domains create, or offer to, when you go there. It is not a real threat, but may monitor what gaming links you go to on their domains.

For the DOS commands, getting the "file not found" was halfway expected on the first one since the extension was shown with ??? rather than ".dll" and I didn't know the reason for that.

However if the command was copied correctly, including the quotes, you should not get "path not found" -- that would be a likely error if you neglected the opening quote.

Have you looked for these manually?

Adware:Adware/Adsmart in C:\WINDOWS\sys???.exe 
Adware:Adware/Adsmart in C:\WINDOWS\SYSMON.EXE


----------



## raffikki (Apr 30, 2005)

I went to start>search>for Files or folders
entered *sys???.exe* 
and found *SYSMON.EXE*
I right clicked> version and saw:
File version: 4.90.0.3000
Created: 8 June 2000
Should I delete SYSMON.EXE?

I tried your instructions again this time copying and pasting.
I got:
del "C:\WINDOWS\Downloaded Program Files\bridge.dll" *file not found*

del "C:\WINDOWS\Downloaded Program Files\bridge.inf" pressed enter and got C:/WINDOWS\Desktop> , which is what I started with  tried again and got *file not found* does that mean it deleted it 

del "C:\WINDOWS\Downloaded Program Files\imloader.exe" did the same as the last but didn't do it again to get *file not found*


----------



## Rollin' Rog (Dec 9, 2000)

If you don't get an error message, and just get returned to your original prompt, the file was found and deleted.

As for sysmon.exe, it sounds like you are looking at the Microsoft file, does it have a Microsoft copyright? The version number seems consistent with WinME. You can try scanning it directly with an installed scanner.

Or upload it here:

http://virusscan.jotti.org/


----------



## hl5 (Sep 24, 2004)

I'm going to pop in here. There's no way I can read this entire thread right now, so what I'm saying may not be helpful at all.

First, as a rule of thumb I wouldn't mess with video drivers if they've worked in the past. If you know what you're doing you can update them once in awhile, but sometimes these updates will help while other times they will hurt. This does not appear to be a video driver problem.

Second, from time to time there are conflicts between Norton AV or McAfee AV and certain versions of Zone Alarm (ZA 5.0 had some problems). In fact, Norton is notorious for interfering with other software and Zone Alarm has been known to conflict on occasion as well although it's better behaved than Norton AV. Both of these programs are pretty intrusive and thus they can try to access some of the same things and butt heads while doing so. I would personally not leave both of them up (although technically they are designed to be compatible).

Keep in mind that Norton has a firewall too and it's almost never a good idea to have two software firewalls running at once. And running Norton and Zone Alarm at once in particular is asking for trouble. If you have to use Norton (which I do not recommend because it's just too problem-prone), then I would probably actually go with the entire Norton internet security package. Since Norton installs stuff all over the place and doesn't always play nice with other programs, it's not a good idea to install things that are redundant with what Norton tries to do.

You said you tried PC-cillin not too long ago and that it was slow. PC-cillin is much faster than Norton (and more compatible as well), so if it was slow it does sound like there may be a problem on your system other than the normal Norton headaches. Remember that PC-cillin HAS ITS OWN FIREWALL as well, so if you install PC-cillin, uninstall Zone Alarm and any other firewall and antivirus products you may have running. (OR disable the non-Zone-Alarm firewall; but I would not use a major internet security package PLUS Zone Alarm, because it's tempting fate.)

Viruses, adware, and spyware can be a nuisance, but so can improperly set up (or simply badly designed) antivirus or firewall software.

If you do insist on running two security/firewall products together, try something less intrusive than Zone Alarm. Something like Look 'N' Stop, Outpost, or Kerio (all three of these programs are commercial though older versions are free -- and Kerio also has a newer free version as well). Zone Alarm IS in fact a good firewall but like Norton, it likes to be THE BOSS and there can only be one boss per system, if you know what I mean (unless you like to take chances).

If you do want to keep Norton on there, or even if you don't, streamline what starts on your computer. The more programs that start automatically and run all the time, the greater your odds of weird conflicts and things. So go to *Start --> Run* and type in *MSCONFIG* and click on the *Startup* tab. If there are programs there that start automatically that you know you don't need all the time, you can uncheck them (but be careful, because some are necessary, and if you're uncertain, you can ask someone). If you want to be able to back up those settings, check out a utility like StartEd (shareware for $17) or, not quite as intuitive, CodeStuff Starter (freeware). You can also simply write down or remember what you've changed, or back up your registry, although I prefer to use a program to do it.

If all else fails, you could try backing up everything and then reinstalling Windows over what you have now. If a system file has become corrupted or there's some component missing, that may restore the system without messing up your data and applications (but back up just to be safe).

And realize that some computer problems are so vexing and persistent that it's just not worth fixing them. If it goes on TOO long, just back up what's important, reformat, and reinstall Windows, or reimage your hard drive from the disc supplied with your computer. Failing that, you could also take it to a service place, but they might just reimage it anyway.

Back to AV for a second. You'll notice a lot of Norton-related problems on tech support forums. If you want to be free of Norton, other alternatives:

- BitDefender
- PC-cillin (you tried)
- F-Secure (slower but good if you need very thorough virus scanning as it uses two virus scanning engines)

Some simple solutions that are AV-only and would need to be used with a firewall (would work great with Zone Alarm for instance, or others listed above, or another free one like Sygate):

- NOD32
- F-Prot
- the Zone Alarm virus scanner which is identical to eTrust Antivirus from Computer Associates

Free AV solutions:

- AVG
- Avast
- AntiVir

McAfee's antivirus is a step up from Norton, but it can cause a few problems as well and its firewall isn't the best.

I hope you're getting all this stuff sorted out. Maybe this post will help and maybe not. But it's worth a shot.


----------



## hl5 (Sep 24, 2004)

ADD: Looking at your list of startup apps, you don't have lots of superfluous stuff. The biggest guys on there are obviously Norton and Zone Alarm. There are certainly one or two things that could be disabled, like TYPE32 (keyboard-related), but overall that's not a cluttered startup list.


----------



## raffikki (Apr 30, 2005)

Rolling Rog,
I checked SYSMON.EXE and it does have copyright:
Copyright (C) Microsoft Corp. 1994-1998
I checked it with Norton and it came back clean :up: 

Hi hl5
Thank you for taking the time to respond to my post  
I think you are right about ZA and Norton fighting  
I have unintsalled ZA and haven't had any freezing/BSOD or errors for a few days.
I have trimmed down my startup list even more, eg. Intelli Type and WheelMouse
Rollin' Rog has been a great help to me and I think this problem is as good as Solved!!

I'm going to leave it a few more days untill I actually mark it Solved, just in case. 

Thanks again to everyone who has helped me with this  :up:


----------



## raffikki (Apr 30, 2005)

Another update with my PandaActiveScan 

Adware:Adware/eZula in Windows Registry 
Adware:Adware/Adsmart in C:\WINDOWS\sys???.exe 
Adware:Adware/Adsmart in C:\WINDOWS\SYSMON.EXE 

I'm getting there!
Just need a little help with these.


----------



## Rollin' Rog (Dec 9, 2000)

If the only instance of sysmon.exe is the one you found, it is likely to be a false positive.

Do make sure you are searching with "show all files" enabled in Folder Options > View.

I would be wary of giving a del C:\WINDOWS\sys???.exe

command, I'm not sure how it would be handled, but if you can manually locate that, delete it.

Is the exact location of the "ezula" registry entry found?

One thing you might do is install, UPDATE, and run a full Ad-aware SE scan. This usually finds most adware components and you can use it to delete them:

Ad-Aware Home Page

http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe
The VX2 plugin will be available in the "add-ons" window once installed and is run from there.

Apologies if you've already done this, I can't recall a mention of it.


----------



## raffikki (Apr 30, 2005)

> If the only instance of sysmon.exe is the one you found, it is likely to be a false positive.





> I would be wary of giving a del C:\WINDOWS\sys???.exe
> command, I'm not sure how it would be handled, but if you can manually locate that, delete it.


  
When I searched for sys???.exe the only file it found was SYSMON.EXE. 
I checked "show hidden files and folders" and it is ticked.

I have Ad-Aware SE 1 .05 Personal installed and update weekly, it finds nothing except a few cookies. 
I've just updated it again and am running it now.

I clicked on the link you provided and there was a d/l of plvx2cleaner.exe right away.
Is that correct?
I d/led it to "My Desktop" do I run it from there?

With the ezula thing, all ActiveScan said was:
Adware:Adware/eZula No disinfected Windows Registry


----------



## Rollin' Rog (Dec 9, 2000)

That is an Ad-aware add-on. I included it only as a routine thing. I don't see any evidence of a VX2 infection.

If you run it it will place the VX2 cleaner in the Ad-Aware "addons" window, and then it is run from there.

I don't think you really need be concerned about sysmon.exe. I would just assume it is a false positive unless you are getting some confirmation from another scanner.

Without knowing exactly where "ezula" is being detected in the registry, I can't give any instructions regarding that. But be assured it is not a threat, since it is not showing up in any of the normal startup locations.


----------



## raffikki (Apr 30, 2005)

Would running either *Registry Mechanic* or *RegistryFix* be a good idea?
I have d/led both but am yet to run either cause I am nervous about not knowing exactly what they do.

I ran the plug-in for Ad-Aware and it said System Clean :up:

edited to ask a big favour  
I have posted a problem http://forums.techguy.org/t365307.html
I'm not sure if it's in the right forum, I've had no responses 
I didn't think I should have posted it in this thread cause it's already gone way off the original problem


----------



## Rollin' Rog (Dec 9, 2000)

I am personally reluctant to endorse registry cleaners unless there is a serious unresolved problem they might be good for.

The entries they remove can be obscure and not readily understandable by those who use them. The problem that can be created may not be apparent until many moons later and it may or may not be possible to connect it back to the use of the cleaner.

If you can configure or limit them to fixing only NON Microsoft entries, you are relative safe, if also you ensure that it backs up what ever it does and you know how to restore from the backup.


----------



## raffikki (Apr 30, 2005)

Thanks for the advise Rollin' Rog 
I'll give them a miss!
Since I haven't had any freezing/BSOD or errors for quite a few days I think I'll just leave things as they are. :up:


----------



## raffikki (Apr 30, 2005)

I had a little hiccup this morning 
When my desktop was loading it froze, the mouse was still working and pressing CTL+ALT+DELETE showed me Explorer (not responding) there was nothing esle listed in there.
I did CTL+ALT+DELETE again to try to restart and got BSOD saying that a program was waiting for a close program command or the system had become unstable(or at least it was something like that, I didn't write it down)
I shut down manually and it restarted normally.


----------



## Rollin' Rog (Dec 9, 2000)

Since the only change that I'm aware of is the addition of Sygate, I guess you're just going to have to watch and wait to see how stable the system is with it installed. It just may be, for some unknown reason, that WinME has issues with firewalls generally.

And I can't rule out that a registry cleaner might be of value, but there is just no way of knowing ahead of time.


----------



## raffikki (Apr 30, 2005)

The odd freeze doesn't bother me, I'll keep my fingers crossed that it doesn't become a huge problem like it was. That I can definatley live without!!!

I'll post if there is any wierd or major problems.

Thanks again Rollin' Rog I really appreciate all your help


----------



## Rollin' Rog (Dec 9, 2000)

You're certainly welcome; I never bail on folks who give good follow-ups


----------



## raffikki (Apr 30, 2005)

Hi again 

Things are still OK :up: No BSOD/errors :up:

But when I just pressed CTL+ALT+DELETE to see why my browsing had slowed dramatically I saw something that I'd never seen before.

*Winoldap*

Norton was checking for updates and I assume that is what was slowing me down but when I did a google search for Winoldap I got worried 

Why all of a sudden would that start running 

Is it something I need to worry about?


----------



## Rollin' Rog (Dec 9, 2000)

Winoldap would normally be associated with an MS-DOS based execution of some kind. I don't think you should have "winoldap.exe" as a file on your computer though. It is stored as winoa386.mod.

Post another scanlog with it present if have winoldap.exe or continue to see it in the close programs window.


----------



## raffikki (Apr 30, 2005)

This mornig it's not showing in the "close program box" YET, but I did do a HJT log last night when it was running.

Logfile of HijackThis v1.99.1
Scan saved at 12:15:42 AM, on 29/05/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/ocis/SiSAutodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4494/mcfscan.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab


----------



## Rollin' Rog (Dec 9, 2000)

Yeah, this is it here:

C:\WINDOWS\SYSTEM\WINOA386.MOD

Symantec must have been using it for something; I can't think of any other reason why it would be present then and not now. I'm sure it's the legitimate Windows MS-DOS process.


----------



## raffikki (Apr 30, 2005)

Thanks again 

I just thought it was wierd and figured I better check with you.
I should probably stop looking at stuff like that cause I just get more paraniod..lol


----------



## Rollin' Rog (Dec 9, 2000)

No problem -- and checking it out is the only way to learn.


----------



## raffikki (Apr 30, 2005)

Just an update and another HUGE *THANK YOU*

No Freezing/BSOD or Errors for about a week now 

Marking this one as SOLVED :up:


----------



## Rollin' Rog (Dec 9, 2000)

Outstanding! Of course you are most welcome


----------

