# Frustrated beyond belief!!! HELP!



## soylattemom (Feb 15, 2004)

I'm sure my problem is adware/spyware. Everything is so freaking slow, I'm on SlimBrowser and IE keeps trying to load, typing is slow, and I'm getting pop-ups out the wazoo!

I downloaded TrojanRemover, and it fixed a few files. It did give me a log when it was complete, but I don't know how to access it if you guys want to look at it. Also downloaded spybot, but when I try to run it, an error message says "A device attached to the system is not functioning".

So now, I've been trying to download AdAware, but am having trouble doing that. I've spent dozens of hours on this thing trying to fix it over the last week! I hope someone can help me!


----------



## cybertech (Apr 16, 2002)

Download Hijackthis. 
Save it to a folder on your hard drive. 
Unzip the file.
Scan your machine, then click on Save Log.

Post a copy back here and someone will be happy to review it.

*Don't make any changes until instructed to do so.*


----------



## soylattemom (Feb 15, 2004)

I'll go download it now (Thanks!) But I don't know how to unzip a file, and I don't think there is an "unzip" utility on my computer. (Obviously, I'm a little "technologically challenged")


----------



## brushmaster1 (Jun 15, 2002)

Go to www.winzip.com and download the free trial of WinZip...


----------



## soylattemom (Feb 15, 2004)

ok, thanks...brb... It's taking forever for me to find HijackThis! (When I click on the link above, it says cannot find server, so I'm trying to get to it through a search engine.)


----------



## soylattemom (Feb 15, 2004)

Ok, I scanned. When I tried to save the log, an error message said the file is damaged or is not a valid Dr. Watson log file. Now what?


----------



## soylattemom (Feb 15, 2004)

Ok, I got it...

Logfile of HijackThis v1.97.7
Scan saved at 5:06:19 PM, on 2/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MCAFEE\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
D:\POINT32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MWSVM.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\PROGRAM FILES\SQWIRE\UC.EXE
C:\PROGRAM FILES\SQWIRE\CC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\PROGRAM FILES\SLIMBROWSER\SBROWSER.EXE
C:\WINDOWS\FREECELL.EXE
C:\WINDOWS\SYSTEM\A32R.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\DRWATSON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iwon.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.aol.com/cgi-bin/websearch?z=1&term=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\SQWIRE\U.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\SQWIRE\T.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BillMinder] C:\QWSE\BILLMIND.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [A32R] C:\WINDOWS\SYSTEM\A32R.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\SYSTEM\MSBB\MSBB.EXE
O4 - HKLM\..\Run: [HVLQAXO] C:\WINDOWS\HVLQAXO.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\msoffice\Office\OSA.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Blink (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .qwa: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPA32S.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O13 - WWW. Prefix: http://
O16 - DPF: {81BB6C86-9F6E-11D2-9253-00A0C973219B} (WowWrapperCtrl Class) - http://209.39.90.111/wowweb/deploy-2a/WowCom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} - http://www.compete.com/panel/01/MSView.jsp?fid=UY9143
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/MySignatureInitialSetup1.0.0.5.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8080/java/cr.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveXInstallers/306/nCaseInstaller.cab
O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - http://defender.veloz.com/pub/download/stop-sign_stp_test.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON39120/flash.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab
O16 - DPF: {73ED84D5-7AC8-9BE1-E696-6DD66CE722C0} (DownloadUL Class) - http://public.searchbarcash.com/cab/022/kyqczoce.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstCSSF.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} (Loader Class) - http://www.sqwire.com/toolbar/SQLoader3303.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.80.1.40,158.80.1.42,198.108.1.42


----------



## Triple6 (Dec 26, 2002)

When you go to save the file, remove the .log extension and replace it with .txt - this way it should open with Notepad. It appears that the .log extension is associated with Dr. Watson on your computer.


----------



## jnibori (Jul 21, 2002)

Do these need to be explored?

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe

O4 - HKLM\..\Run: [ClrSchLoader] \Program 
Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\SYSTEM\MSBB\MSBB.EXE


----------



## Cris_Cr0ss (Jan 30, 2004)

inst GMT a part of gain? the adware


----------



## soylattemom (Feb 15, 2004)

I don't know, but Cybertech told me not to change anything until instructed to do so, so I'm waiting for instructions!  What do I do next, guys? Thanks!


----------



## Byteman (Jan 24, 2002)

Yes guys/gals---soylattemom has several malwares- about every one made! Since there may be some special effects needed- we aren't going to just use HjackThis to remove anything.....
The fun will probably start after supper!

soylattemom--- you might better turn off Dr. Watson it will probably pop up way too many error messages.
You probably have a shortcut in your Startup folder that makes it continue to run all the time. You can start it up anytime by going to Start>Programs>Accessories>SystemTools>System Information>Tools>Dr Watson

There is an easier way....Start>RUN box type just drwatson...

Once it is running, it continues....you see the little funny looking icon lower right in your tray for it (Hold mouse on them till you find Dr. W---just right click and Exit Dr.)

Might help save what little hair you have *LEFT* 
http://www.windows-help.net/windows98/start-144.shtml


----------



## jnibori (Jul 21, 2002)




----------



## soylattemom (Feb 15, 2004)

wow, that bad, huh? not that i'm surprised. I mean, i've pulled all my hair out, so...

I'm ready to get to work whenever you are!


----------



## Flrman1 (Jul 26, 2002)

Well start by doing all of the following:

Click here to download CWShredder. Close all browser windows, click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

When it is finished restart your computer.

To help prevent this from happening again, I strongly recommend you install the folowing patches for the vulnerabilities that this hijacker exploits:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp

*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

Restart your computer.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press *Online* and *Search for Updates* .

Put a check mark at and install *all updates*.

Click *Check for Problems* and when the scan is finished let Spybot fix/remove *all* it finds marked in RED.

Restart your computer.

Come back here and post another Hijack This log and we'll get rid of what's left.


----------



## soylattemom (Feb 15, 2004)

cwshredder...check
ms updates...check
downloaded Ad aware, but I get the same error message that I get with Spybot... (A device attached to the system is not functioning.)


----------



## Flrman1 (Jul 26, 2002)

What is the exact error message? Is this "A device attached to the system is not functioning" the complete error message?

Go ahead and post another log please.


----------



## soylattemom (Feb 15, 2004)

Actually, 2 messages come up. The first one says "Error Starting Program The WS2_32.DLL file is linked to missing export WS2HELP.DLL:WahEnableNonIFSHandleSupport" Then I click OK and the message behind it names the file location (C:\ProgramFiles...etc) and then the message. (A device attached...yada yada yada) That's everything.

Here's the new log:

Logfile of HijackThis v1.97.7
Scan saved at 9:10:26 PM, on 2/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\NETAB32I.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
D:\POINT32.EXE
C:\MCAFEE\VSHWIN32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\MWSVM.EXE
C:\WINDOWS\SYSTEM\IEFEATURES.EXE
C:\PROGRAM FILES\SQWIRE\CC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\WINDOWS\MSBB.EXE
C:\PROGRAM FILES\SLIMBROWSER\SBROWSER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iwon.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\SQWIRE\U.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BillMinder] C:\QWSE\BILLMIND.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe
O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [NETAB32I] C:\WINDOWS\SYSTEM\NETAB32I.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\msoffice\Office\OSA.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Blink (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .qwa: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPA32S.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O13 - WWW. Prefix: http://
O16 - DPF: {81BB6C86-9F6E-11D2-9253-00A0C973219B} (WowWrapperCtrl Class) - http://209.39.90.111/wowweb/deploy-2a/WowCom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} - http://www.compete.com/panel/01/MSView.jsp?fid=UY9143
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/MySignatureInitialSetup1.0.0.5.cab
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8080/java/cr.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveXInstallers/306/nCaseInstaller.cab
O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - http://defender.veloz.com/pub/download/stop-sign_stp_test.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON39120/flash.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/copilot/i1initialsetup1.0.0.5.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab
O16 - DPF: {73ED84D5-7AC8-9BE1-E696-6DD66CE722C0} (DownloadUL Class) - http://public.searchbarcash.com/cab/022/kyqczoce.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstCSSF.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} (Loader Class) - http://www.sqwire.com/toolbar/SQLoader3303.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38032.6919791667
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.80.1.40,158.80.1.42,198.108.1.42


----------



## soylattemom (Feb 15, 2004)

Ok, well I'm goin to bed...I'll check in the morning and see if y'all have anymore suggestions for me. Thanks so much for your help! (Things are improving already!) I appreciate it!


----------



## firstc520 (Jan 26, 2004)

Soylattemom......when you ran CWShredder did you check for updates first?

You still have stuff in your system that needs to be removed.

Also i didn't see an Anti-virus installed on your pc. If you ahve it turned off then please turn it back on, update your definitions and run a full system scan.

If you do not have an antivirus then download one. there are 2 that i can recommend, AVG ( http://www.grisoft.com) and Avast 4 home edition. http://www.avast.com

I personally like avast, but both are FREE and very good. Once you have downloaded and AV please make sure it is has the most current updated virus definitions. Then run a full scan on your system.

If that doesn't work try the following:

Try to run spybot in safe mode also

to enter safe mode tap the F8 key immeniatly after windows POSTS (beeps during bootup, if you don't get it first time, then tap sooner. 

Give it a shot. if Spybot runs all the way through remove the items in RED

Good Luck

First_c


----------



## Flrman1 (Jul 26, 2002)

firstc520,

I just had him/her download the latest version of CWShredder. Read the thread please.



First I'd like for you to run the System file checker. Have your 98 installation CD Handy.

To run System File Checker:

Click the Start button, point to Programs, point to Accessories, and then point to Select System Tools. 
Click System Information. 
On the menu bar, click Tools. 
Click System File Checker. 
Choose Scan for altered files.

Hopefully it will replace the missing or corrupt files that are causing the errors. Try to run Adaware and Spybot again.

If that doesn't work we'll go ahead and remove as much as we can with Hijack This.


----------



## firstc520 (Jan 26, 2004)

Sorry about that flrman, it was just a thought..... (me slaps himself on wrist  ) 
Flrman did you notice an AV installed in that HJT log? i didn't. I don't have the online scanners web link handy of the top of my head, and i am going to bed.

Just a thought 

First_c


----------



## Flrman1 (Jul 26, 2002)

Just in case the above steps do not fix your problems and you're still unable to run Spybot and Adaware here's what needs removing with Hijack This:

Some of the files we are going to delete may be hidden so click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL

O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\SQWIRE\U.DLL (file missing)

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1

O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe

O4 - HKLM\..\Run: [SQUpdatesChecker] C:\Program Files\Sqwire\uc.exe

O4 - HKLM\..\Run: [SQConfigChecker] C:\Program Files\Sqwire\cc.exe

O4 - HKLM\..\Run: [NETAB32I] C:\WINDOWS\SYSTEM\NETAB32I.exe

O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE

O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.ex

O16 - DPF: {81BB6C86-9F6E-11D2-9253-00A0C973219B} (WowWrapperCtrl Class) - http://209.39.90.111/wowweb/deploy-2a/WowCom.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab

O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/ActiveX...seInstaller.cab

O16 - DPF: {459729AC-727D-4D97-B18A-72EE224EFEC0} - http://defender.veloz.com/pub/downl...gn_stp_test.cab

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...39120/flash.cab

O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://i1img.com/images/nocache/cop...etup1.0.0.5.cab

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/IAicm.cab

O16 - DPF: {73ED84D5-7AC8-9BE1-E696-6DD66CE722C0} (DownloadUL Class) - http://public.searchbarcash.com/cab/022/kyqczoce.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab

O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstCSSF.cab

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe

O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} (Loader Class) - http://www.sqwire.com/toolbar/SQLoader3303.cab*

Restart to safe mode and delete:

The C:\Program Files\*PrecisionTime* folder
The C:\PROGRAM FILES\*WINFAVORITES* folder
The C:\Program Files\*Sqwire* folder
The C:\Program Files\Common Files\*GMT* folder
The C:\PROGRAM FILES\COMMON FILES\*CMEII* folder
The C:\Program Files\Common Files\*slmss* folder
The C:\WINDOWS\*mwsvm.exe* file 
The C:\WINDOWS\*MSBB.EXE* file
The C:\WINDOWS\SYSTEM\*NETAB32I.exe* file
The C:\WINDOWS\SYSTEM\*INTERNETFEATURES.exe* file
The C:\WINDOWS\SYSTEM\*IEFEATURES.exe* file

There may be more than one Winfavorites folder so while still in safe mode go to Start > Find > Files or folders. Click "Options" and check "Case Sensitive". In the "Named" box type ...*winfavorites*. Click "search". Right click and delete all instances of winfavorites wherever found.

Also look in your IE favorites for one or more folders that have been added called Adult Links or Adult Entertainment containing numerous links to Adult sites. Delete those.

Also Go to Start > All Programs and look for those same type folders there and delete them.

How to start your computer in safe mode.

Empty the recycle Bin.


----------



## Byteman (Jan 24, 2002)

flrman1-

If they have the First Edition of win98, there can be a problem running the whole scan of sfc....
http://support.microsoft.com/?kbid=192832
There are several files it may show that should be replaced, such as User.exe, which can cause problems!

it was fixed in 98Second Edition- Gold I think is First Edition

Here is a step by step with pics on using sfc to replace/extract the winsock2 --- at least that is what I think you are "aiming" at-
Be sure to be doing the win98 instructions Scroll down page to win98) if this is tried- there are several Windows versions with steps shown.

http://support.pcnet.ca/windows-95-98/winsock.htm#Win98's

Might make it easier for them.

NOTE: firstc520----
SpyBot probably was not able to be updated, if they couldn't even open it-----running it to remove might not work too well, even from Safe Mode.


----------



## Flrman1 (Jul 26, 2002)

No I don't see an AV running firstc520.

soylattemom

You definitely need to get an Antivirus and a firewall. See this thread for some good free ones:

http://forums.techguy.org/t110854/s.html

I'm just rying to get as much of this in here as I can tonight as I will be at work tomorrow and will not have time in the AM. I'll check back here after work tomorrow and see how much progress you've made.

Also do this:

Go here and do an online virus scan:

http://housecall.trendmicro.com/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Be sure and do everything I suggested in Posts #21 & #23.


----------



## Flrman1 (Jul 26, 2002)

Actually Bill, this is the error I was attempting to fix with SFC:



> _Originally posted by soylattemom:_
> *Actually, 2 messages come up. The first one says "Error Starting Program The WS2_32.DLL file is linked to missing export WS2HELP.DLL:WahEnableNonIFSHandleSupport" Then I click OK and the message behind it names the file location (C:\ProgramFiles...etc) and then the message. (A device attached...yada yada yada) That's everything.*


Maybe if you're going to be around tomorrow during the day you can assist with the SFC. I'll be working most of the day and will not be able to get on here but just a little while in the AM and then will be away til 4 or 5 pm EST.


----------



## Flrman1 (Jul 26, 2002)

I am moving this to the Security forum.


----------



## Byteman (Jan 24, 2002)

Hi soylattemom

I think we should start out trying to replace those two system files- to see if we can get SpyBot and/or AdAware running.

We may need to get rid of Temporary Internet Files etc- do it this way first: open Internet Explorer>Tools>under Temp Internet Files area, click on "Delete Files", put a check into "delete all offline content" and click OK. 
Then close IE---from Start, Programs, Accessories, System Tools> open Disk Cleanup and get rid of TEMP files and if you know there is nothing in Recycle Bin needed- put check mark into that, too and click OK to delete files. 
NEXT- 

You must have "Show all Files" with a dot in it- check by opening Windows Explorer, at the top, View>Folder Options>View again, put a dot in Show all Files....and also, take the mark out of "Hide File extensions for know file types"

Navigate to the C:\Windows\Options\Cabs folder- highlight Cabs folder on left-
do you see lots of .CAB files numbered up to about 70 or so?
Since you may not have a plain Windows 98 CD, or may have upgraded from win95....this will save us time.

Also- using FIND from the Start button to search for these files, one at a time, see if there are ONLY ONE OF EACH OF THESE FILES.....
WS2_32.DLL should be 74kb or so.
WS2HELP.DLL should be 24kb or so.


They should both be in the System folder.
No need to post if you FIND tool shows only one in System folder.
If there ARE more than one- delete any that are NOT in System folder. 
NEXT- Windows Explorer, Windows>System highlight that folder and on the right, scroll down to find each file, right click it, Properties> Version and record the date shown for each and post them. My win98 First Edition shows 4.10.1998 for them in the Version box. 

You also need to reply that you either have the .CAB files in the System folder or not, and if not, have the win98 CD or not.


----------



## soylattemom (Feb 15, 2004)

Whew! I have lots of work to do today! I checked for CWShredder updates, but I just get an "unable to retrieve" message. There probably is an update, because I downloaded CWS a few months ago.

You're right, I didn't have an anti-virus program. I didn't realize I could get one for free! (Although, at this point, paying for one would certainly have been worth it!) I installed it, and it is in the process of running, but it found a virus...and I'm not sure whether to select "Move/Rename", "Delete", "Repair", or "Move to chest". I'll wait for a reply before I continue that scan. (File name: c:\WINDOWS\backup\TB031029.DAT Virus name: Win32:Swen [Wrm])

I have about 30 of the CAB files. I have a Win98 CD (somewhere around here) but it wouldn't matter because our CD drive hasn't been working for months. (Our computer is 8 years old)

I have to work from 12-5 today, but I'll be on working on this till I leave, and I'll be right back on as soon as I get home.

(BTW, I am a "she", for those who didn't know!)


----------



## soylattemom (Feb 15, 2004)

Oh, yeah, I ran the housecall virus scan a few days ago. There were about 14 items (all non-cleanable) which I deleted.


----------



## Byteman (Jan 24, 2002)

Hi- CWS site you went to may still be offline, as they have had problems last few days.

You can get a newer version here, it might help if you run it-
http://www.sherrylynn.us/CWShredder.exe

Delete the old one- it has no installer, just simply right click the CWShredder.exe and delete it, before you get the new one...

The Swen virus has a simple to use removal tool which you should also download and run: This tool will also remove several others, its very good and eays to use. download to desktop and double click stinger.exe (first disconnect from Net if on dialup or close all browser windows) 
Get it here:
http://vil.nai.com/vil/stinger/

Post back what it finds. We can wait and do the other things I asked about when you get back home, now is fine if you have time- realize you are headed out! Best not to rush and make mistakes. Take care of the Swen and what else Stinger finds first. Flrman1 will be around later, too and might want to attack things differently using the System File Checker.

NOTE: edited post#28 up above please take a look, print it if you can/want to for later..


----------



## soylattemom (Feb 15, 2004)

Got the new CWS...didn't find anything
Stinger didn't find anything.

the ws2_32.dll file was in the "System32" folder, and the version says exactly this: "5.1.2600.0(xpclient.010817-1148)"

the ws2help.dll file was in the "System" folder, version 4.10.1998

haven't finished the avert scan yet, so I'll do that now; then I'll go into safe mode to run the other 2 scans. Then Ill post another HT log


----------



## Flrman1 (Jul 26, 2002)

Did you do the fixes I suggested with Hijack This?

What scans are you going to do in safe mode?


----------



## soylattemom (Feb 15, 2004)

Ok, nevermind...just re-read post #24. I won't try the safe mode thing (for Spybot & Adaware)

I ran the sys file checker, and file "vswk4.dll" needed to be restored, but like I said earlier, my CD drive doesn't work. Is there somewhere online I can restore it?

I think I've done everything else suggested, so now I will follow your instructions (Mark) about HJT. brb.


----------



## Byteman (Jan 24, 2002)

Ok- when you use the system file checker, you have two options- to use your Windows CD to extract the file you want to replace from. Or, you can get them from the .CAB files- as is shown in the link I posted which is a guide on doing this.
You said you had only 30 .CAB files- and for win98 First Edition, my one First Edition machine has 69 numbered plus others....so something is wrong I think. Did you install win98 as an upgrade to windows95 perhaps? Even then- the versions of the two files are nowhere near similar - should be 4.10.1998 or possibly 5.11.1998. No idea what is up with that xpclient thing- perhaps you might have downloaded or installed acopy of your ISP software meant for XP? I had one customer who did that with CompuServ that does put out separate programs...
And for win98, the files should be in the System, not the Sys32 folder....... In my System32 folder on win98FE there is one folder named "Drivers" which contains only .sys files.
The other two files in System32 are desktop.ini and folder.htt.
Your HijackThis log shows you are using win98FE.
I have heard of some things being buggy with @Home tho.
Is that what you are using to connect---AtHome??
Or [email protected]? Thought they went out of business.


----------



## soylattemom (Feb 15, 2004)

They are out of business...we used them back in 98/99.

I will go ahead and move that file to the System folder. The other files/folder you mentioned are in there.

I originally had Win95...but when I bought a laptop a few years later (from the same company--Gateway), I used that Win98 CD to upgrade my desktop. Should I do something about that xp file?

I will try your link about the CAB files. Could they be in another folder on my computer? I'll check.

Mark...did everything you listed. YAAYY! My computer is working like a dream now! These 2 files weren't on the log when I went to fix them:
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL

O4 - HKLM\..\Run: [NETAB32I] C:\WINDOWS\SYSTEM\NETAB32I.exe

Also, this file was not there to delete: C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe 
Hold on, and I'll go make another log so you can double-check it...


----------



## soylattemom (Feb 15, 2004)

Logfile of HijackThis v1.97.7
Scan saved at 8:42:46 PM, on 2/16/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MCAFEE\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
D:\POINT32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\LE2DISPO.EXE
C:\PROGRAM FILES\SLIMBROWSER\SBROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BillMinder] C:\QWSE\BILLMIND.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [LE2DISPO] C:\WINDOWS\SYSTEM\LE2DISPO.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\msoffice\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Blink (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .qwa: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPA32S.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} - http://www.compete.com/panel/01/MSView.jsp?fid=UY9143
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8080/java/cr.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38032.6919791667
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.80.1.40,158.80.1.42,198.108.1.42


----------



## Byteman (Jan 24, 2002)

NO NO noone told you to do anything!!!!!!!

Dont move yet.


----------



## soylattemom (Feb 15, 2004)

Oh, yeah...I have 101 .cab files on my computer. Many of them are in the Windows Update Setup folder. Should I do something with them?

(Ok, now I'm really showing my computer knowledge, aren't I?)


----------



## soylattemom (Feb 15, 2004)

Ok! (Response to post#38)


----------



## Byteman (Jan 24, 2002)

Nope used to it here....

Sorry but you will have to wait just a minute to do some things.

NOW....read all this, and take a minute to digest it.

And correct me if I get anything wrong...try to answer each question...

Do you use cable or DSL to connect? Dialup?

When you used the system file checker eariler....and as I think scanned the whole system folder...for altered files---did it mention anything up about the two files WS2_32.DLL or WS2HELP.DLL?
When it finds a corrupt or wrong size etc file in the System folder you get a message asking what you want to do...ignore is one of those options- and leave or replace are options. Were there any other files found where the checker stopped and asked you anything?

I don't know why using first edition win98 you would have WS2 files in System32- that can't be too good.

I don't get what you are saying about "the other files/folder are in there" the desktop.ini and folder.htt and Drivers folder should be in System32 folder. The Drivers folder contains only .sys files.
The System (plain) folder should contain: well over 1,000 files and mine has 58 folders. The numbers can vary from computer to computer.... I guess if you installed 98 over a 95 that might explain what is going on....

To check the version of the two WS2 files we wanted to work on...you use Windows Explorer, and go down through the +signs from there to Windows to the System folder, highlight it by clicking ONCE with the mouse, and look to your right....the WS2 files are way down toward the end and are next to each other. It may help if you change the View to "Details" by putting a dot next to Details, then things are shown in a easy to read list...
When you find the WS2 files....check Properties by right clicking each, select Properties, then select Version tab up top....
for each one WS2_32.DLL and WS2HELP.DLL. 


My Windows Update Setup folder contains 7 files one of which is Dcom95.exe.
Best you wait until we have a look at.


----------



## soylattemom (Feb 15, 2004)

cable internet (Charter Communications)

SFC did not mention those two files. No other files were mentioned except the vswk4.dll. And I clicked ignore.

The desktop.ini and folder.htt and Drivers folder are in the System32 folder. (That's what I meant)


----------



## Flrman1 (Jul 26, 2002)

I am a little lost on what's going on with the SFC thing right now and I don't really have time now to catch up so I'll leave that to you Bill. 

What I will address is this:

It looks like this one:

*O4 - HKLM\..\Run: [NETAB32I] C:\WINDOWS\SYSTEM\NETAB32I.exe*

That you could not find from the first log has morphed into this:

*O4 - HKLM\..\Run: [LE2DISPO] C:\WINDOWS\SYSTEM\LE2DISPO.exe*

Let's see if we can do this the simplest way and if we can't we'll try something else.

First shut down cold for at least 30 secs. then boot directly into safe mode.

Go ahead and run Hijack This and have that entry selected and ready to be fixed, but don't click Fix Checked yet.

Now open the C:\WINDOWS\SYSTEM folder and have this file selected and ready to go:

*LE2DISPO.exe*

Now in as rapid a succession as you can delete the file and then click "Fix Checked in Hijack This.

Boot back to normal and post another log.


----------



## Byteman (Jan 24, 2002)

Wait for Mark to get back...looks like some other work to do with the spyware....not looking too bad, tho. Do what he suggests now, this stuff can wait for later....
Now- are WS2_32.DLL and WS2HELP.DLL in the System folder?
You posted back a ways that:
""the ws2_32.dll file was in the "System32" folder, and the version says exactly this: "5.1.2600.0(xpclient.010817-1148)""
I just want to be sure you are getting the right info at the right place- find out if there are perhaps 2 WS2_32.DLL files, one in each folder, which is not good but not life threatening....
Just confirm if there is only one, and it is in System32, OK?

When you find them and right click them and select Properties, then Version...
they may show something like this on the grey window:

Version: 4.10.1998

Windows Socket Helper 2.0 for Windows98

Company Name- Microsoft Corp.

Some of your other questions:


To make a quick end to this----if the computer runs and you are getting around the Net OK, there are no error messages or any freezing up etc... let things be as they are and keep a log of what if anything does happen for awhile. I can't see any real need to move or replace any files if everything works. It just could be a result of the way you installed over win95 back when. Or, some program has replaced one file and put it in the other folder, for all I know it may be OK!! It's kinda not normal, but what the heck is with computers? I had read that bad programming creates these WS2 file errors....and to correct them, you can use System File Checker to replace the existing or duplicates with the correct file....however, sfc did not turn it's nose up at what you have, so there you go!!!
And, of course, get back here if anything does act up.


----------



## soylattemom (Feb 15, 2004)

When I went to safe mode to fix that file, it wasn't there:
O4 - HKLM\..\Run: [LE2DISPO] C:\WINDOWS\SYSTEM\LE2DISPO.exe

Here's the new log

Logfile of HijackThis v1.97.7
Scan saved at 9:54:41 PM, on 2/16/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BillMinder] C:\QWSE\BILLMIND.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [P_28591C] C:\WINDOWS\SYSTEM\P_28591C.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\msoffice\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Blink (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .qwa: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPA32S.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} - http://www.compete.com/panel/01/MSView.jsp?fid=UY9143
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8080/java/cr.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38032.6919791667
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.80.1.40,158.80.1.42,198.108.1.42


----------



## soylattemom (Feb 15, 2004)

Nope. Only one file. In the System32 folder. And the version says: 
5.1.2600.0 (xpclient.010817-1148) 

I still get the ws2 error message when I try to run ad-aware and spybot. (I even tried it in safe mode...same thing) Actually, we've been getting that ws2 error message for several months. It would come up every time we rebooted...but after fixing the problems over the last two days we haven't been getting it. But I still get it when trying to run SB and AA.


----------



## Byteman (Jan 24, 2002)

Hmmm, found this about the strange file version showing for WS2_32.DLL which is in the System32 folder, as I said that is not normal for win98, and here is something interesting:
The numbers 5.1.2600.0 match things it says are for
xpclient.010817-1148

These were copied/pasted from a .dll download site::
They are not from your log, system, etc but show what I am talking about clearly::
Terminal Server Configuration WMI provider 
tscfgwmi.dll 5.1.2600.0 (xpclient.010817-1148)
5.1.2600.1106 (xpsp1.020828-1920)

trkwks.dll Distributed Link Tracking Client 5.1.2600.0 (XPClient.010817-1148)
5.1.2600.1106 (xpsp1.020828-1920)

Now- it could be that something has done something with the old WS2_32.DLL file, since it's version you have looked up twice, is shown in the format above (xpclient etc)
I havent seen this before, but I know it can and does happen.
When "bad code" is loaded- it can make programs not work- or, if the wrong type of program IS loaded, it can make errors. In this case I don't know for sure....but- it seems that you have the wrong version of WS2_32.DLL and it is in the System32 folder, and not a duplicate...as there is no WS2_32.DLL in the System folder at all....
I just finished reading that .DLL files can show the same filenames but be entirely different...

""A Dynamic Link Library (DLL) is a file of code containing functions that can be called from other executable code (either an application or another DLL). Programmers use DLLs to provide code that they can reuse and to parcel out distinct jobs. Unlike an executable (EXE) file, a DLL cannot be directly run. DLLs must be called from other code that is already executing.
In more understandable words, a DLL is a file which does a particular job, and allows other programs to use its efforts in assisting the program's job. Some programs use a DLL so that they won't need to spend time figuring out how to do that job. For example, Microsoft has a DLL comctl32.dll which does all the user interface jobs (toolbars, text boxes, scroll bars, etc). So, other programs use that DLL so they won't have to create their own edit boxes, etc. When a program requires a DLL to run, and can't find it, it won't be able to run because its suddenly missing the DLL to perform some of its critical work. We've all used DLLs before and we're using them now. They're required to run all Windows programs, including Windows but you never actually see them at work. There are different versions of the same file name. Just because the file appears to be the same doesn't mean it is. To check what version the file is, open Windows Explorer, locate the file and right click on it. Select Properties and click on the Version tab or download Driver Detective v2.0. If there is no version tab then the file does not have a version number. Generally, if you have a newer version of a file, don't replace it with an older version.""

What do we do now? We could: rename the present WS2_32.DLL to something like WS2_32.DLx and then put a known good copy of WS2_32.DLL into the System folder and see what happens. That is standard procedure....
The good copy can be downloaded many places--would really be best if you could find the 98 CD to get it from. On a regular copy of Win98First Edition, it resides in the Net7.CAB folder and can be extracted easily using the System File Checker back to where it is supposed to be. Then- you try things out, try SpyBot etc and see what happens. 
I would wait just now, and I will try to get some more help. I know a few people who work on things like this a lot- anyone is welcome to comment, too, in the meantime. 
Sorry it's been so many long, technical posts for you to wade thru, but that's how it goes!!


----------



## Flrman1 (Jul 26, 2002)

Well it has morphed again. Now it is:

*O4 - HKLM\..\Run: [P_28591C] C:\WINDOWS\SYSTEM\P_28591C.exe*

I have got to get to bed, but I'll check back here in the AM and see if we can't formulate a plan to get rid of this sucker.


----------



## dvk01 (Dec 14, 2002)

To cure your morphing file problem lets try this

boot into safe mode

then run a HJT scan and examine it carefully

the entry you want to look at is the bolded entry, it will change each time you boot up or do anything to it, but it wiill always be in the same place on the Hijackthis log, between the ashmaisv entry and the power profile entry

when you have the log scnned, then check that entryonly and press fix checked, then still in safe mode using windows explorer navigate to the file of that name and right click it and press delete

then reboot and run a nw HJt scan to see if it has gone 
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
*O4 - HKLM\..\Run: [P_28591C] C:\WINDOWS\SYSTEM\P_28591C.exe*
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme


----------



## soylattemom (Feb 15, 2004)

Byteman...I do have a CD, but my drive doesn't work anymore. Thanks so much for your help...I know it's taking much of your time to do all this research. Just let me know what you want me to do next! 

Thanks, Mark and Derek...I'll do that right now.

You guys are great!


----------



## soylattemom (Feb 15, 2004)

done! (And yes, it did morph again!)

Here's the new log:

Logfile of HijackThis v1.97.7
Scan saved at 12:39:03 PM, on 2/17/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MCAFEE\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\tpexe.exe
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
D:\POINT32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\SLIMBROWSER\SBROWSER.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BillMinder] C:\QWSE\BILLMIND.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\McAfee\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [telepath] TELEPATH.101\tpexe.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\msoffice\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Blink (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .qwa: C:\PROGRA~1\INTERN~1\PLUGINS\NPIPA32S.DLL
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1000026A-8230-4DD4-BE4F-6889D1E74166} - http://www.compete.com/panel/01/MSView.jsp?fid=UY9143
O16 - DPF: ConferenceRoom Java Client - http://irc.axpi.net:8080/java/cr.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\JAVA\CONTROLF1\STMeeting25.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38032.6919791667
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 158.80.1.40,158.80.1.42,198.108.1.42


----------



## Byteman (Jan 24, 2002)

Hi, That random file that was morphing does not show in this log, I assume you followed directions to delete it while still in Safe Mode just after fixing it with HJT---but, did you then reboot, rescan with HJT? If you did, the sucker may be gone...but, want to make certain it's gone.....
It's also a good time to rescan with adAware/SpyBot if you could....reboot after using either.....and you know what's next> post a new HJT log & let's hope its cured!!


----------



## Flrman1 (Jul 26, 2002)

Well it is definitely not in this log so maybe we finally got it. Do as Bill suggested and then post another log.


----------



## soylattemom (Feb 15, 2004)

I followed Derek's instructions exactly. That log is the one after the 2nd reboot. (NOT in safe mode).

Still can't run spybot or adaware--getting the ws2 error message.


----------



## Flrman1 (Jul 26, 2002)

Well your log is clean now. The only thing left to do now is fix those errors. I'm really not sure about what's going on with that. Bill seems to have dug up more info on that than I have plus he has a 98 first edition machine so we'll wait to see aht he says on that. All I have here is a 98se test machine so all I can do with that is Google it.


----------



## soylattemom (Feb 15, 2004)

Ok...thanks Mark, for all your help! I think I may consider that donation thing!


----------



## Byteman (Jan 24, 2002)

Hi soylattemom-

In the process of finding out what to do with the SpyBot problem- will post what you can try shortly.


----------



## soylattemom (Feb 15, 2004)

Ok, great! Thanks!


----------



## Byteman (Jan 24, 2002)

Hi soylattemom-

I think first you should try this Repair of Internet Explorer and we will work on from there.

Go to Add/Remove Programs, find Microsoft Inernet Explorer 6 and IE Tools, and then click "remove" dont worry, we are not uninstalling anything- this will bring up 3 options, select "Repair this version...etc" and run the repair tool. It takes a few minutes, when done you will see a message as to it worked, or you need to reinstall IE totally. You will have to reboot when finished. Post what the repair utility shows. Try opening SS&D, post what that does.


----------



## soylattemom (Feb 15, 2004)

Ok. The repair tool is running now. BTW, I don't know if it matters, but we haven't been using IE for a while. We use Slim Browser after hearing good things about it on the TechTV website.

will post results of repair tool in just a moment...

Ok, I just clicked "Ok" to "Do you want to restart now" before I looked at the result of the IE repair! oops! SORRY! I realized it too late. 

Anyway, I get the same messages when I try to run spybot. Also, I checked again to see if the ws2 file was still in the System32 folder and it is.

sorry again! Hope i didn't mess things up!


----------



## Byteman (Jan 24, 2002)

You probably should have been offline while doing the repair, I thought you had some knowledge of what to do there.
If the repair did anything, you would have been able to start SpyBot I would think. If you did restart, any changes shouldl have been made then.

The problem may be SlimBrowser itself, it does this when you do not elect the right things:

""SlimBrowser is based on IE. It use the same privacy settings as IE in the kernel level. If you change any settings in the privacy/security tab in Internet Options dialog, the change will be directly effective in SlimBrowser. As a wrapper on top of IE, SlimBrowser doesn't collect any privacy information (name, usage statistics, email, host IP, etc) from the user's computer without EXPLICIT consent from the user. 

SlimBrowser integrates MySearch SearchBar plugin from The Excite Network(TEN, the operator of Excite.com and iWon.com). It provides easy access to search in multiple major search engines including Google, Altavista, AskJeeves, AlltheWeb and LookSmart. It also provides keyword highlighting and additional customizable buttons. Be sure to check Privacy Policy of MySearch SearchBar here. 

If you don't like any plugin and opt-out the plugin installation during setup, the settings will be remembered and the corresponding plugin won't be installed again during later updates. ""

Some of that may have been removed by HijackThis use as we were going along.

If you can still use SlimB, then no problem I suppose.
Post back how the Internet connection is behaving, are you connecting first time, etc? Notice any other problems?
There is a SpyBot settting repair tool it says at their forum, sometimes the settings get messed up, especially when you use a proxy connection, it resets things for you to allow SS&D to open normally, I have tried it here with no ill effects....
Post back and I will put up the file I want you to get with directions.


----------



## soylattemom (Feb 15, 2004)

(edited post above)


----------



## Byteman (Jan 24, 2002)

Hi soylattemom
i see you are getting online OK, good....
To clear some things up: nothing is going to move the location of the WS2_32.DLL file-- until we/you do---I am trying to leave that for last resort as I am not sure what the outcome of doing the move would be. There are some other things that could be the reason SpyBot won't open- so I am going to have you try them one by one, OK? 
Download the two files to the desktop first.
Follow directions for each, if the first fixes things stop there.

This download opens direct, means that the download will pop right up, so get it to the desktop. 
http://www.safer-networking.org/files/delcwssk.zip

Go offline...and click the 
file named delcwssk.zip, extract to desktop and run the .exe file for it. That will tell you either something was removed, or that your system was not infected. 
If anything was found- try SpyBot again.
if it still won't open do the next part.

Go and get this file, it is a .zip 
http://spybot.eon.net.au/files/resetsettings.zip

This file resets your SpyBot settings so that it can open. Download it to the desktop, it makes a Resetsettings icon on desktop. 2 Click that to do the unzipping...when you extract the file, it have it also go to the desktop. It will appear as an icon with a white window and be labelled Resetsettings.exe, double click that to run it. Click "Ja" for yes (the programs author is from Europe) and click Ja again...close it up. Go offline, restart and try SpyBot again.
Post back if you can open SpyBot. There are some things to set- I have a link to the guide for SpyBot you can look at print etc. that will help you.

If neither of those does not do the trick, there are other things to try.


----------



## soylattemom (Feb 15, 2004)

Ok...did the first thing. Nothing found.

Second thing: when I clicked the first "Ja", an "illegal op" error message came up. When I clicked "close" another error message came up--a long one but the end said, "The system cannot find the path specified."

If you would like me to quote you the entire error message, just let me know.


----------



## Byteman (Jan 24, 2002)

Hi, Lets see that error!


----------



## soylattemom (Feb 15, 2004)

<sigh> ok... (just kidding)

Exception EFCreateError in module RESETTINGS.EXE bei 0001A5B1. Datei "C:\WINDOWS\Application Data\Spybot - Search & Destroy\Configuration.ini" kann nicht erstellt werden. The system cannot find the path specified.


----------



## Byteman (Jan 24, 2002)

Sheesh---Ok lets try a new copy of SS&D. First- go to Start>Programs>SpyBot S&D in your list and use the uninstaller in the menu. SpyBot also puts an uninstaller in the Add/Remove Programs list, try that if the other does not work. 
Also, you will have to delete a folder as this shows you:

""After the uninstaller is through...
restart the PC
navigate to the default installation folder and delete that too, ususally it is found at
C:\Program Files\Spybot - Search & Destroy,, then
navigate to and delete the delete the configuration file 
(which is named Configuration.ini). Where it is located depends on your Windows version...
For Windows 95/98, the file is located in C:\Windows\Application Data\Spybot - Search & Destroy\." Don't worry if the configuration.ini is not there, probably is not.

Then get the new download to your desktop. 
http://www.safer-networking.org/index.php?page=download

If you can, use Internet Explorer to download. Then- go offline....and install it. Start up computer, when you are at the desktop, double click the file you downloaded which will be something like spybot12.exe. You will have to click "English" as your language...least my version I did...
The basic setup- please see this page: you will not be online, so copy down the steps, save this site in your Favorites so you can check it out when you get back online.

http://forum.gladiator-antivirus.com/index.php?showtopic=8630
OK- do the steps in order, and post back what happens.


----------



## soylattemom (Feb 15, 2004)

Still could not open Spybot. Then I went back to the second step of post #63, and I still got the error message.


----------



## Byteman (Jan 24, 2002)

OK- basically then, SpyBot was re-downloaded and installed...but you do not get any errors or anything during the install? Just when you click on the icon to open SpyBot?

I have posted the old errror you posted about those WS2 files...as well as the more recent errors at two other forums where there are some good specialists with SpyBot problems...but no one has replied yet. I am going to contact the author of SpyBot, Patrick K, since he would by now have seen this crop up I am pretty sure...and see what he thinks. I
Question- are you using Internet Explorer, and, can you get to this page: www.symantec.com using IE?
If you are tired....let me know, and by tomorrow Patrick may reply. Staying up late does not bother me- but we don't want you exhausted if you need to get up and earn it tomorrow


----------



## soylattemom (Feb 15, 2004)

no errors on install. Only trying to open the program.

Yes, I'm getting to bed. Have to work tomorrow. I should be able to get on in the a.m. though and go to symantec before work. Let me know what you want me to do there.

Thanks!


----------



## Byteman (Jan 24, 2002)

Hi, The first thing to try is getting the updates to winsock for your computer. You must install the Windows Socket2 update (986kb- top of page, Download button) first....the instructions are down below the DUN 1.3 Winsock2 and Year 2000 update, which you must install also, after the Windows Socket2. The general method is to create new folders on the desktop, rename them so you know the difference....and save them to disk, and to those folders. I use Socket2 for the first one, and Y2K for the second, to help tell the difference.... NOTE: you must go offline, close all other programs....just sitting at the desktop and install both updates. Restart when it tells you to. If you get any messages coming up about your system cannot use the updates, just stop and post back. There is a winsock restore to try.
Try opening SpyBot after you have done these updates. Good luck. The people I spoke with practically guaranteed this will work. 
There would usually be no problem simply removing and reinstalling DialUpNetworking through the Control Panel>Add/Remove Programs>Windows Setup routine, but it is hard to tell if it would work. We basically have to start back at the win95 level, and try the two updates...then, there is one more update we can try if we need to. If your CD drive was working, you could extract a good copy of the needed files, but again, they may not fix it. I think this is the best way to go. Good luck. 
Perhaps we can fix the CD drive later, too unless it's toasted.

http://www.microsoft.com/Windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95Sockets2/

EDIT:: I don't know if this link will give you access, let me know if it does not work, the info I was give is shown for anyone to look at:

http://forum.gladiator-antivirus.com/index.php?act=ST&f=147&t=11102&st=0#entry37858


----------



## Byteman (Jan 24, 2002)

hi, I would like to also pass this on- contents verbatim of an email I got back for solution to this error, from Team SpyBot (support team for that program)

""Thu, 19 Feb 2004 12:35:18 +0100
From: Team Spybot <software @spybot.info>
To: Bill 
Subject: Re: [SBSD] error when starting SpyBot 1.2 
Bill wrote:
> Person has tried installing twice, has tried the Resetting fix, has tried the Smartsearch.killer tool, CWShredder, and has had HijackThis log reviewed. Everything works except SpyBot! There is this first error: ""Actually, 2 messages come up. The first one says ..."

Hello,

This message will only appear if you are using Windows 95 and have not yet installed the Winsock2 update. 
This update is available from Microsoft free of charge, and can be downloaded on this website:
http://www.microsoft.com/windows95/...s/S_WUNetworkingTools/W95Sockets2/Default.asp

This information is also available in our FAQ:
http://www.spybot.info/index.php?page=faq&detail=11

Best regards,
Your Team Spybot

-------------------------------------------------
Spybot-Search&Destroy: http://www.spybot.info/
.................................................
All incoming and outgoing mails are scanned
using an up-to-date anti-virus applicati
on.""

soylattemom---seems we were headed on the right track, at best I can guess that your upgrade of win95> win98 did not take well, or something has happened by some kind of software, virus etc since you installed, so the win98 winsock part of windows was damaged or one file replaced....

Another method has come along, a TSGer has offered this:
""Bill:

Feel free to post whatever ....

On your side, I would take the WS2 files in question, change the DLL extension to TXT and attach them to a post.

Then, have her download the files to a folder (or the desktop) and from Explorer rename the TXTs to DLLS.

Then, run SFC, extract one file from, browse button, browse to the folder (or the desktop), select the file, Start Button, and on the next screen, select the browse button (beside Restore From), browse to that folder/desktop, select the file, then the Save file in Browse button, browse to \Windows\System , the OK.

Repeat for the other DLLs.

Then, reboot and see if SpyBot runs or not.""

My advice? It's hard to decide, because I am not sure that you might not have other dependencies on that WS2_32.DLL- the one in System32 that is not a 4.10.1998 version. I almost think I would rename that one only and use one I posted here to replace it, but extract it to the System folder where it should be. We can then replace the other file if no change in SpyBot. Waiting to hear from you.


----------



## soylattemom (Feb 15, 2004)

Hi...thanks for your replies. I just got home (Thursday is my long work day) so sorry I haven't had time today to work on this. Tomorrow I work 10-3, so I'll try to get on tomorrow afternoon.

Thank you!
Wendy


----------



## Byteman (Jan 24, 2002)

Hi, Need to make sure of this one last time, OK?
Open Windows Explorer , Up at top View>Folder Options>View again....and Be sure "Show all Files" is enabled (a dot should be in that option) Also- make sure there is NO dot in "Hide file extensions for know file types" OK....

go down to the System folder on the left, highlight it....and over on the right pane, scroll down through the long list of files to WS2_32.DLL-----it is NOT there, right?

Scroll to WS2HELP.DLL, that one IS present, right?
The file date is different than the Version....so do this right!
Over under the Modified tab, does it have 5/11/98?

And- when you right click it and select Properties, does it show 24,576bytes? And- under the Version tab is the dark blue number exactly this: 4.10.1998, Windows Socket 2 Helper for Windows 98??

IF it is, do the System File Checker work I emailed you. The file I have attached is a copy of WS2_32.DLL renamed with a .txt extension. Right click on it, select "Save target AS" , download to to your Desktop. Go offline to do this next::
rename it WS2_32.DLL and proceed with the SFC work I emailed you ((Extract the WS2_32.DLL to System folder))

For the WS2_32.DLL over in the System32 folder:
Go to System32 folder, on the right pane, scroll down to WS2_32.DLL and Rename it this: WS2_32.old and leave it there...if it complains that it is "in use by Windows" let it be for now. 

Try to open SpyBot. If it opens--- you may see a flag, or select "English" hit the English flag icon to start SpyBot. I generally select to have a Desktop icon made, but not a Quick Start icon.
I leave all the settings as they are in the list.
I select "Start in Easy Mode". 


Then--get online if you are not, and use the "Check for Updates" button and when it shows the list of updates, if any language or skins are in the list, unselect those, then change the server over on the right, there is a black drop down arrow that has UniDo (Eur) next to it, change that to Rootboxen (US) and hit "Download Updates" button, after all those are downloaded, go offline....and start SpyBot up using the icon on your desktop that it made (the shortcut icon, but not the download you originally got!!) and start it up. Hit the "Check for Problems" button and let it scan the system. It will take awhile- when finished, it shows a list of things in RED with checkmarks in them....Hit the "Fix selected Problems" button and they will be removed- you may see a message about SpyBot having to scan again at restart- let it do so, it will go through the full scan again, takes awhile....and when done, you are done.
Post back to let us know one way or the other, if SpyBot still will not open there are other things to try.


----------



## soylattemom (Feb 15, 2004)

Whew! Ok, I'm a little overwhelmed by the last few posts. I followed instructions from post 71 first. Got them downloaded onto desktop, but when I tried opening them, the first one gave me this error message:
"An error was encountered while installing Winsock2. Setup has been cancelled. See C:\WINDOWS\WS2setup.log for more information."

Then I tried opening the second download. Message popped up: "This update is not designed for your version of windows."

Now I will try the updates you posted in #72.


----------



## soylattemom (Feb 15, 2004)

Ok...just realized it's the exact same file from post 71. Got the same error message.


----------



## soylattemom (Feb 15, 2004)

I just noticed post #61, and somehow I had missed it completely. Anyway, in response to your question ("Post back how the Internet connection is behaving, are you connecting first time, etc? Notice any other problems?") Actually, we are having a little trouble--which I was going to bring up later  

When we first try to open a browser (whether IE or SB) it takes about 10 minutes to come up. Once it comes up, it's fine. Also, sometimes the typing goes slowly...but not all the time.

I don't think I'll do anything yet from the bottom half of your post#72 until you say for sure. So I'll move on to post #74 and study it a little. See if I can figure out what you want me to do!


----------



## soylattemom (Feb 15, 2004)

"WS2_32.DLL-----it is NOT there, right?" --right
"Scroll to WS2HELP.DLL, that one IS present, right?" --right
"Over under the Modified tab, does it have 5/11/98?" --yep
"when you right click it and select Properties, does it show 24,576bytes?" --yep
"is the dark blue number exactly this: 4.10.1998" --well, it's not dark blue, but yes. 

Going to get your e-mail instructions now...


----------



## soylattemom (Feb 15, 2004)

Just read your e-mail, and the one from Tuesday, too.  Sorry, I don't check my e-mail too often. But you're right I guess we should use either e-mail or PMs for this. I'm sure no one else is intested in this thread! Whichever method is easier for you...doesn't matter to me.

And yes, I'm willing to take the chance of messing up the computer. We plan on getting a new one soon, but would still like to keep this one (for the kids). If it crashes...no big deal. 
I'll be on for about the next 20 minutes working on it, but then I won't be back until Saturday night. If you don't hear from me by Sunday, you'll know I pulled out that dynamite you were talking about!


----------



## Byteman (Jan 24, 2002)

Wow- I thought you would stick with the newest post there....plus I emailed you exactly what to do!!!!!
ALWAYS read from newest back at forums!!!!!! We cannot go back after a set amount of time and edit the posts. Well, the instructions I got said the winsock2 updates would not do any damage, but if they did we can fix that.

Do ONLY the one file replacement as in the email and in post#74. take your time follow all directions. 
There is NO rush- you will need uninterrupted time to finish this....especially with a computer that is not working as it should.

Ask questions before you guess.
You need to right click the attachment and "Save AS" to put it on your desktop, it will still be showing a .txt extension....
RENAME that to WS2_32.DLL before you try using the System File Checker to get the file into System folder. All the instructions are in the email.....
If at any point, using SFC, you want to start over, hit the Cancel button and start over!!!!
Delete the file WS2_32.DLL on your desktop AFTER things are working....might still need a copy, though you can redownload it from my post any time.....
If we have to wait awhile that's no problem....see you Saturday. Keep this computer, it can be reloaded and in light of the "upgrade" you did- it would probably be the best thing you could ever do. Would be fine for kids- unless the hard drive capacity is way too low. Still, it's not that expensive a deal to slightly upgrade things to make it usable enough for kids use.


----------



## soylattemom (Feb 15, 2004)

Yay! It worked! I was able to open Spybot! Woohoo!

So...before you go on vacation... did you say you could fix my CD drive???


----------



## Byteman (Jan 24, 2002)

I have been waiting all day to hear that!!:up: 

Just replacing that file worked?

Cool! I can fix anything usually unless I break it. That's because I'm better at it.
Be sure you run the Updates for SpyBot, do you know how,,,before you scan to remove any junk....


----------



## soylattemom (Feb 15, 2004)

Yep! Replacing that file did it! Who woulda thought? 

Yes, I know how to get updates...but it said "Error retrieving update into file". I guess I can check again later.

I know I have "thanked" you to death, but I can't resist... THANK YOU THANK YOU THANK YOU!!! 

Should I post in another folder about my CD drive, or should we use PMs, or what?


----------



## Byteman (Jan 24, 2002)

The way the Spybot program is built, since it was made in Europe, the default (configured) sever is in Europe, and everyone in half the world uses that server, and it is usually too busy.

When you have SpyBot open,, and hit "Check for Updates" and it does show you have some that are available, click the little black arrow on the right next to "UniDO (EUR) and change the setting TO "Rootboxen (US)" that should allow you to get the updates. you do not need the language files, nor the skins, those are for cosmetic or other language fucntions. Get all the others!

PS - I would really like to know if you:

Did the winsock Restore for win98
with or without adding the file I attached as a text file

Or Just replaced the WS2_32.DLL file I attached

Was it just the file that fixed it, in other words?

I guess so, or you would have had it fixed just after you did those updates where you got the "not for this version of Windows" message the other day-


----------



## soylattemom (Feb 15, 2004)

yeah...I edited my previous post, but I guess you didn't see it. It WAS the file replacement! And that was the easiest thing we had tried yet! Cool!


----------



## Byteman (Jan 24, 2002)

Ok I see you have edited your post! 
Thank you for continuing and getting back to us, a lot of folks just forget to....
Try the update the way I posted, change the server.


----------



## soylattemom (Feb 15, 2004)

ok...hold on


----------



## Byteman (Jan 24, 2002)

Replacing System .dll files is tricky, you have to find out a lot of info first....
the trick is to save the old file, I expect you renamed it as I put in the directions....you should KEEP it that way, don't delete it yet.(The file that was WS2_32.DLL, that was in wrong location and the wrong version....the one in the System32 folder, if you renamed it, just let it sit there as it is)) 
It's amazing that you found that easy...getting update files is easy...

When you get the updates for SpyBot, you will need to run SpyBot and that can take awhile, depending on the size of the hard drive, etc.....It's an older system and you probably have a ton of files for it to scan through. When we get the junk all out using SpyBot or HijackThis, you should make a new thread over in Hardware or Win95/98/Me forum, your choice of which one. Hardware would be great.


----------



## soylattemom (Feb 15, 2004)

Yes, I did rename it. When will it be safe to delete it?

Ok, I'll put it in Hardware.

I didn't see a little black arrow. That error message just keeps popping up.


----------



## Byteman (Jan 24, 2002)

That's hard to say, but it cannot do any harm, it's tiny, and cannot do anything while it is renamed.....apparently it is not a virus or anything, so dont worry about it.


----------



## Flrman1 (Jul 26, 2002)

Good job both of you! :up:

Looks like your about back to normal here right?

I've been busy building and setting up a new machine the last couple of days so I haven't been on much. I'm using the new box now. Man I love new machines!


----------



## soylattemom (Feb 15, 2004)

I don't think there is an update. Would it be listed in that white box if there were? It's just empty


----------



## soylattemom (Feb 15, 2004)

Yes, Mark, it's all great! But standby...you'll be seeing me again in the Hardware folder! 

Congrats on the new machine!


----------



## Flrman1 (Jul 26, 2002)

Thanks! 

I guess this means we can mark this Solved.


----------



## Byteman (Jan 24, 2002)

There should be some updates, when you have SpyBot running, and click "Search For Updates" you have to be signed on to your ISP (with dialup modem) which is also called, connected or online....you will see the dark blue progress lines go across and get either "No newer updates are available" or you will see a list of the updates you need.

Hold one, Mark, we need updates....and she has not had a chance to run SS*&D to clean up.


----------



## Flrman1 (Jul 26, 2002)

OK. Did you give her intructions on selecting a different download mirror?


----------



## Byteman (Jan 24, 2002)

http://www.safer-networking.org/index.php?page=faq&detail=32

Steps for updating if it just freezes up. Same as what I posted, maybe easier for you to read, tho!

Yes, we are editing back and forth, up a few replies...


----------



## soylattemom (Feb 15, 2004)

Ok, when I open SB and get to the very first screen, there are 3 buttons: check for problems, recovery, and search for updates. I click Search for Updates, and an error message says "Error retrieving update into file." I don't see anywhere to change that thing you told me to change.


----------



## Byteman (Jan 24, 2002)

OK. that's a different matter.

read this: http://www.safer-networking.org/index.php?page=howto&detail=proxy

And then this:

See here: http://www.safer-networking.org/index.php?page=howto&detail=update&lang=en


----------



## soylattemom (Feb 15, 2004)

I don't see the words UniDO anywhere.


----------



## soylattemom (Feb 15, 2004)

Ok, I must have messed something up in the setup or something... I remember seeing a screen like that before (with the "online" button and all those other buttons on the left) when I was setting up everything, but the first screen doesn't look like that anymore.


----------



## Byteman (Jan 24, 2002)

Hmmm Do you still have the Resetting for SpyBot file around?
Give that a try once more.

Here is where you can get it;

http://spybot.eon.net.au/files/resetsettings.zip

You may need to follow these steps too:

http://www.safer-networking.org/index.php?page=howto&detail=proxy

IF there IS a checkmark like you see in the picture, take it out.
I think.

If that does not help, do the next part.

Did you save the download file for SpyBot somewhere handy?

It would be called spybotsd12.exe You might just need to reinstall SpyBot. A brand new download would rule out some corruption which can happen.....

FIRST tho, uninstall all versions you have tried to install.

Just go to Add/Remove Programs and uninstall it/them.

Get it here: http://www.majorgeeks.com/download2471.html


----------



## soylattemom (Feb 15, 2004)

Tried the reset...didn't work. Yes, I saved the exe file. Removed old one, now I'll restart and re-setup. brb.


----------



## soylattemom (Feb 15, 2004)

Ok, tried all that. Could my setup file be damaged too? Should I go to the link you just posted and download a new one.

Or better yet, can I just run the scan as is? I did just download it the other day.


----------



## Byteman (Jan 24, 2002)

hi, Yes occaisionally a download is damaged...especially .zip files, if the extraction is not done right or there is a System problem.....similar to what you had, the errors and trying to open SpyBot could I suppose have done something, as can viruses...they can keep antivirus programs and SpyBot from opening, too! (CoolWebSearch hijacker can)

Nope, you should get the latest updates! The program comes a bit backdated as there are only releases every so often....but updates far oftener to the things it finds....the bad guys....so you should really get the updates. 
All I found points to removing the checkmark from "Proxy" as in the picture....

http://www.safer-networking.org/index.php?page=howto&detail=proxy

If you don't see Settings on the left side of SpyBot, go to Start button down at left of taskbar, then Programs>SpyBot Search & Destroy, and click on "Advanced Mode"

You usually only see the Advanced Mode once, as you generally have SS&D start up in Easy Mode.
Charter Internet may havy you using a Proxy server for your connection.... SpyBot does not get along well with proxy servers. try it, look for the mark in the Proxy box.

Here is a post from the Official Spybot forum about all this proxy stuff: http://forums.net-integration.net/index.php?showtopic=8051&hl=


----------



## soylattemom (Feb 15, 2004)

Ok...finally got all the task buttons on the left to appear, but when I click the online tab, my screen doesn't look anything like what they showed. 

When it says "disable this" that means uncheck it, right? Or should there be a check there?

Well...I'm going to bed. Very tired. But I'm home all day tomorrow. Hopefully it won't take that long!


----------



## Byteman (Jan 24, 2002)

Yes, if there is a check IN something, that enables what is says...its tricky....if it says "Use Proxy" and is checked, that means proxy is enabled, and taking the check out would mean disabled. That should work, continue tomorrow. This will get sorted out soon enough.
You COULD always download AdAware......


----------



## soylattemom (Feb 15, 2004)

Actually, I have AdAware downloaded. It was giving me the same message as Spybot, but is also fixed now. Want me to try that instead? 

The proxy was already disabled when I checked it. (By "checked" I mean "looked at") he he

I see you are online...did you sleep last night?  

Ok, I went ahead and did the first step...getting the update. I'll wait to scan until you tell me to.


----------



## Byteman (Jan 24, 2002)

Hi, I sleep like a log but I can never go to bed early...plus it's much quieter here in the late evening. After my almost 4 yr old grandson goes 'nite- 

You actually were able to update AAW or SpyBot?
The latest update for AAW is:01R259 dated 18.02.2004
On the main screen of AAW there is a line that shows that.

You have to set some settings with AdAware for deep scanning, I will get the instructions posted in a bit.

Good thing you waited- by the way, it is not difficult to do.
SpyBot if you updated that is good to go.


----------



## soylattemom (Feb 15, 2004)

I updated AAW. Still can't update Spybot.


----------



## Byteman (Jan 24, 2002)

Here are settings for AAW, you must get these right-



From the reccomended settings for AdAware- first time usage,
"pasted" from a post of flrman1's::

"Make sure the following settings are made and on -------ON=GREEN A green check means the setting is enabled.
You MAY find some of the settings already enabled, and that is OK.
From main window of AAW :Click Start , then Activate in-depth scan (recommended)

Click Use custom scanning options: then click Customize and have these options selected: Under "Drives and Folders" put a check by" Scan within archives" and below that under Memory and Registry put a check by ALL the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select "Let windows remove files in use at next reboot"

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer."" 

Take your time, find the correct buttons to put checks in.


----------



## Byteman (Jan 24, 2002)

Hi, I am back after running to the store.

You can Private message me if you need to.


----------



## soylattemom (Feb 15, 2004)

Was gonna PM, but I guess I have it turned off. I'll fix that later. The AAW is still running. It's been stuck on the number 28861 (objects scanned) for quite a while. Should I just wait it out, or is something wrong? (Yes, I was offline this whole time while scanning)


----------



## Byteman (Jan 24, 2002)

I would wait it out....within reason, some items do take a long time to scan through.


----------



## Byteman (Jan 24, 2002)

Hi, Did AdAware ever finish?


----------



## soylattemom (Feb 15, 2004)

Nope...still going. Still stuck on the same number


----------



## Byteman (Jan 24, 2002)

You should probably try to turn off AdAware....restart....and start it up again. If it gives you a "Not responding" message, hit CTRL+ALT+DEL one time to bring up the running tasks, and hit End Task for Adaware


----------



## soylattemom (Feb 15, 2004)

Ok. I'll try again.


----------



## Flrman1 (Jul 26, 2002)

Adaware could be freezing while scaning within archives. Open Adaware again and before you scan click on the Gear icon to open the settings. Click on the "Scanning" button. In that window under "Drives and folders" uncheck "Scan within archives" then click "Proceed" to save your settings. Now try the scan and see if it will complete.


----------



## Byteman (Jan 24, 2002)

flrman1- Thanks! Hope that does the trick...


Odds are---it is going to "find" an amazing number of things....I forget the actual number of total entries that either SpyBot or AdAware has totalled for me on first runs, but I do recall it being near 600 and I dont think that is any record....
I get to work on ones like that a lot- but, with the newer deep scanning directions I have only used it that way at home.

I guess I will switch the settings when I go back to those places-- or, would that be not the thing to do?


----------



## Flrman1 (Jul 26, 2002)

The only reason to not scan within archives is if it freezes as in this case. This has been an issue in the past.


----------



## soylattemom (Feb 15, 2004)

Tried disabling the archives search. It still froze. Got a little further than before, but... <sigh> What now?


----------



## Byteman (Jan 24, 2002)

I really don't have a good answer for you, but let's do this-

Open My Computer, right click your drive C: and select properties, and post the free and used hard drive space showing.

Also- check back through the settings for AdAware- do you have them all correct, and still using non-archives setting as flrman1 put in...

It is better to have a deep scan for the first run, but it might also be possible to adjust things, he or someone will see this and may offer some tips, I only am familiar with the recommended settings.... not sure which may be changed to what.


----------



## Flrman1 (Jul 26, 2002)

You might give it a try in safe mode.


----------



## soylattemom (Feb 15, 2004)

Used 1.47GB
Free 530 MB

I'll try safe mode too.


----------



## soylattemom (Feb 15, 2004)

Tried safe mode. No go. I guess it's ok. The computer's doing fine so far, so maybe the HJT was enough. Maybe in a few days I can download a new copy of Spybot that has all the updates. Is that possible, or are there always newer updates?


----------



## Byteman (Jan 24, 2002)

Well, we tried our best....someone still may pitch in some things to help with this, so check the posts when you can.
(You will get the email notifications)

Almost sounds like some other corruption of files....or hardware problems somewhere. An 8 yr old computer could lack a lot of what is needed to run well these days. plus, always the possibility of some worm lurking around....
I would be all for doing the routine maintenance, you know, scandisk and defrag after a good cleanup. Done those lately? Does defrag finish all the way to 100%?
Yes, you can leave the situation as it is, but you should post a brand new HJT log one for last look, OK? Anytime....
I would think that SpyBot would freeze just as AAW did, updates or not....
The updates are issued whenever the developer or maker of the program makes them available. There will always be updates the same as for antivirus programs....lots of new malwares coming out all the time. They are not new versions of the entire program----just detections for new varieties of "spyware", and some are for the program's function. A new build or full program would contain the old updates up to a certain point....from then on, updates would be added from time to time for it.


----------

