# Microsoft problem here



## Julie_40 (Nov 14, 2002)

Hi. Well, I somehow lost my Norton Antivirus. I went to run live update and it isn't and it won't open up...Then when it did open up i get this:
Micosoft Visual C++Runtime Library
Runtime Error
Program:C\ProgramFiles\CommonFiles\SymantecShared\SEVINST.EXE
then under that say:
Abnormal Program termination?

I even tried reinstalling my norton and won't let me...says about something being corrupted..
HELP
now what do i have to do


----------



## TonyKlein (Aug 26, 2001)

You may be afflicted with the all new Yaha.k worm: http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

I'd start by running an online scan at Panda Active Scan

When you're done, please do this:

Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

Unzip, doubleclick it, and it will generate a text file that will list all running processes, _all_ applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and post the contents here.


----------



## Julie_40 (Nov 14, 2002)

StartupList report, 12/30/02, 2:42:43 PM
StartupList version: 1.50
Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINSERVICES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\TCPSVS32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SystemTray = SysTray.Exe
LexStart = Lexstart.exe
PTSNOOP = ptsnoop.exe
CountrySelection = pctptt.exe
LoadQM = loadqm.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "C:\WINDOWS\SYSTEM\nav32_loader.exe""%1"%*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 30/12/2002, 13:42:42)

[rename]
NUL=C:\WINDOWS\NAVUSTUB.EXE
NUL=C:\PROGRA~1\NORTON~1\TIMEHELP.DLL
NUL=C:\PROGRA~1\NORTON~1\NAVSHELL.DLL
NUL=C:\PROGRA~1\NORTON~1
NUL=C:\PROGRA~1\COMMON~1\SYMANT~1
NUL=C:\PROGRA~1\SYMANTEC

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\ESSAUDIO.COM -BLASTER
@ECHO OFF

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\ESSAUDIO.SYS
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
DOS=HIGH,UMB,AUTO
FILESHIGH=80
BUFFERSHIGH=40,4
DEVICEHIGH=C:\WINDOWS\SYSTEM\CPQIDECD.SYS /D:IDECD001
SHELL=C:\COMMAND.COM /P /E:2048

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\ESSAUDIO.COM -BLASTER
@echo off
LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:IDECD001 /M:12

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL - {02478D28-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\NewDotNet\newdotnet4_50.dll - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E}
(no name) - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Synchronize Time.job
Check E-mail.job
virus scan.job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1080/V31Controls/x86/w98/en/actsetup.cab

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[TP_live Control]
InProcServer32 = C:\WINDOWS\SYSTEM\TP_LIVE.OCX
CODEBASE = http://www.homestead.com/~site/InstallFiles/SIFiles/live/TP_live.cab

[HS_live Control]
InProcServer32 = C:\WINDOWS\SYSTEM\HS_LIVE.OCX
CODEBASE = http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[WONWebLauncher Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WONWEBLAUNCHERCONTROL.OCX
CODEBASE = http://www.virtualvegas.com/cab/WONWebLauncherControl.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PWACTIVEXIMGCTL.DLL
CODEBASE = http://www.rimfiremedia.com/code//PWActiveXImgCtl.cab

[CoGlucometerPex Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\LCGLUCABBOT.DLL
CODEBASE = https://www.lifeclinic.com/Member/Glucometer/LCGlucAbbot.cab

[CRegistryDownload Class]
InProcServer32 = C:\WINDOWS\SYSTEM\REGDLOAD.DLL
CODEBASE = http://www.paltalk.com/prod/RegDload.CAB

[Excite Installer Start]
InProcServer32 = C:\PROGRAM FILES\EXCITE\INSTALLR\1.BIN\X8EZSETP.DLL
CODEBASE = http://downloads.excite.com/images/nocache/platinum/x8initialsetup1.0.0.2.cab

[Register Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HWUTILS.DLL
CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab

[CCMPGui Class]
InProcServer32 = C:\WINDOWS\SYSTEM\CCMP392.DLL
CODEBASE = http://64.124.45.181/chaincast/proxy/CCMP.cab

[SurferNETWORK Plugin]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SURFER~1.OCX
CODEBASE = http://rd1.surfernetwork.com/surferplugin.ocx

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
CODEBASE = http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0

[Compaq System Data Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYSQUERY.DLL
CODEBASE = http://www29.compaq.com/falco/SysQuery.cab

[Spotlife Composer]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SLCMPSER.DLL
CODEBASE = http://yahoo.spotlife.net/install/composer/1.5.0.223/SLCmpser.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37590.6854861111

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[AV Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PAV.DLL
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[Jamba Class Library]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://www.kidscarnival.com/Jambalib.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[UniVoice Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UNIVOICE.OCX
CODEBASE = http://www.webcamnow.com/voice/UniVoice.cab

[WebCam Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVE~1.OCX
CODEBASE = http://www.webcamnow.com/broadcast/ActiveXWebCam.cab

[Yahoo! Webcam Upload Wrapper]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YUPLAPP.DLL
CODEBASE = http://chat.yahoo.com/cab/yuplapp.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AXISCAMCONTROL.OCX
CODEBASE = http://80.120.122.18/activex/AxisCamControl.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

[Brix6ie Control]
InProcServer32 = C:\WINDOWS\BRIX6IE.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/1267/ftp.coupons.com/v6/brix6ie.cab

[Persits Software XUpload]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\XUPLOAD.OCX
CODEBASE = http://www.walmartphotocenter.com/photo/upload/XUpload.ocx

[PhotosCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YPHOTOS.DLL
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #2: C:\Program Files\NewDotNet\newdotnet4_50.dll
Protocol #1: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #2: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #8: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL
Protocol #9: C:\PROGRAM FILES\NEWDOTNET\NEWDOTNET4_50.DLL

--------------------------------------------------
End of report, 12,309 bytes
Report generated in 0.588 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Julie_40 (Nov 14, 2002)

OK..here we GO...I have the YAHA.K WORM...How do i get rid of it?

BEWARE HERE IS WHAT THE YAHA.K WORM DOES TO YOUR SYSTEM PLEASE READ:
W32.Yaha (All variants) 
(also known as: WORM_YAHA.E [Trend], Worm/Lentin.F [Vexira], W32/[email protected] [McAfee], Yaha.E [F-Secure], W32/Yaha-E [Sophos], Win32.Yaha.E [CA], Yaha Virus, Lentin Virus, Lentin Worm, Yaha.j, Yaha.k 
Yaha.j and Yaha.k are the latest variants.

What is the Yaha Worm? 
It is a mass mailing worm that arrives in a file attached to an e-mail message. It then sends itself using SMTP to addresses found on the local system (Windows Address Book, MSN and .NET messenger cache folders and HTML files). It jeopardizes the security of the infected PC since it emails out various types of information from that PC, some of which may be sensitive data (like credit card information and passwords).

Symptoms of Yaha infection: 
When run, the virus may display a message box. The message displayed is chosen from the following list: 
Ur My Best Friend!! 
No Configuration is available Now 
Config 
madd 
U r so cute today #!#! 
U r my best friend 
True Love never ends 
I like U very much!!! 
U r My Best Friend 
U r My Valentine 
On Thursday randomly changes the start page of Internet Explorer to one of the following:

http://www.unixhideout.com
http://www.hirosh.tk
http://www.neworder.box.sk
http://www.blacksun.box.sk
http://www.coderz.net
http://www.hackers.com/html/neohaven.html
http://www.ankitfadia.com
http://www.hrvg.tk
http://www.hackersclub.up.to 
... other general virus infection symptoms here. 
Messages carrying Yaha may contain any of the following in their 'Subject' filed:

Are you the BEST
Free Win32 API source
Learn SQL 4 Free
I Love You..
Wanna be like a stone ?
Are you a Soccer Fan ?
Sexy Screensavers 4 U
Check it out
Sample Playboy
Hardcore Screensavers 4 U
XXX Screensavers 4 U
We want peace
Wanna be a HE-MAN
Visit us
One Virus Writer's Story
One Hacker's Love
World Tour
Whats up
Wanna be my sweetheart ??
Screensavers from Club Jenna
Jenna 4 U
Free rAVs Screensavers
Feel the fragrance of Love
Wanna Hack ??
Sample KOF 2002
The King of KOF
Wanna Brawl ??
Wanna Rumble ??
Play KOF 2002 4 Free
Demo KOF 2002
Free Demo Game
Wanna be friends ??
Need money ??
Are you beautiful
Who is your Valentine
Free Screenavers of Love
Free XXX
Free Screensavers
WWE Screensavers
Freak Out
Wanna be friends ?
Things to note
Lovers Corner
Patch for Elkern.gen
Patch for Klez.H
Free Screensavers 4 U
Project
Sample Screensavers
Are you in Love
I am in Love
I Love You
You are so sweet
The Hotmail Hack
U realy Want this
to ur lovers
to ur friends
Find a good friend
Learn How To Love
Are you looking for Love
Wowwwwwwwwwww check it
Check ur friends Circle
The world of Friendship
Shake it baby
How sweet this Screen saver
war Againest Loneliness
Need a friend?
Say 'I Like You' To ur friend
love speaks from the heart
Let's Dance and forget pains
Looking for Friendship
True Love
make ur friend happy
Who is ur Best Friend
hey check it yaar
Check this ****
Hello
Hi

Download the YahaRemover utility here.


----------



## TonyKlein (Aug 26, 2001)

Well, yes, as I surmised, Yaha.k indeed.

Bitdefender has issued a Yaha.k removal tool.

Download and run it, preferably in Safe Mode.

http://www.bitdefender.com/download/AntiYahaa.exe


----------



## Julie_40 (Nov 14, 2002)

what do you mean safe mode? Im not up to speed on some of these terms. U mean safe mode from start/shudown and that way or what?


----------



## TonyKlein (Aug 26, 2001)

Have a look here:

How to Start a Windows 98 Based Computer in Safe Mode

Usually Removal tools do a better job in Safe Mode, as none of the files to be removed are in use by Windows.

It's not hard. You can do it!


----------



## Julie_40 (Nov 14, 2002)

Tony, just completed your suggestion to fix my problem. Everything apparently worked, got my Norton reinstalled and everything appears to be running fine. Thanks again for all your help!!!!!!!


----------



## Julie_40 (Nov 14, 2002)

Ok. Got everything taken care of with deleting the virus from the computer. Now, i went to Start/Run/and typed in MSCONFIG..that is my start up items...I have WinServices in there with a check mark beside it...I looked up winservices in google and it seems it is still in my system the virus. it is saying It is this TROJ_IMISERV.A
What am I to do now? shall i uncheck it and go from there or what..I ran the virus scan and says no viruses detected??
Thanks 
Julie


----------



## TonyKlein (Aug 26, 2001)

No, Winservices.exe is Yaha.k.

Uncheck it in Msconfig/Startup, click OK, and reboot.

It might only be a startup entry, but do a keyword Find Files for *winservices.exe* anyway.

If you find it, delete it, but chancces are you won't any more.

Cheers,


----------



## MonoxideChil (Jun 23, 2002)

What happens if you don't remove the files in safe mode? Is there a way to reverse the damage? I can't open anything without finding the executable and some of them I dont know where they are.


----------



## TonyKlein (Aug 26, 2001)

In Safe Mode these files aren't in use by Windows, so they're easier to remove, but if they're gone, they're gone.

Did you run the Yaha.k cleaner?

If you haven't you should. It should repair the registry damage as well, allowing you to open exefiles again.

http://www.bitdefender.com/download/AntiYahaa.exe

If after running it, still no joy, run the appropriate fix for your operating system:

For Win 95,98, ME:

http://home.earthlink.net/~rmbox/Reticulated/4IE_Only/EXEfix08.com

For Win XP or 2000:

http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip

Good luck,


----------



## Julie_40 (Nov 14, 2002)

Just Wanting to thank you Tony for all you help. Nice to have people online to help with problems with the computer. "Happy New Years" and be Safe..
Julie


----------



## owensoranges (Jan 4, 2003)

yeah, i've got rid of the virus using the bitdefender cleaner you recommended, but i still get errors at startup, about Kazaa, and about something else, which then makes my PC start to shut itself down (im running on XP). Any ideas???


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by owensoranges:_
> * but i still get errors at startup, about Kazaa, and about something else, which then makes my PC start to shut itself down (im running on XP). Any ideas??? *


Not until we know what "something else" is. Do you have the exact error message for us?

And please do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.


----------



## docjava (Mar 5, 2003)

I yanked yaha.k out of a winme machine using AVERT. Everything is groovey except now I can't download with ie6. 
I plan to repair or reinstall IE6. Is there any other tools I need in my bag when I return to the scene?

Cheers


----------



## TonyKlein (Aug 26, 2001)

What _does_ happen exactly when you try downloading something?


----------



## docjava (Mar 5, 2003)

Instead of getting a save/open dialog box, IE6 tries tries to open the location but it just shows a place holder (like an unsupported image file) and nothing else


----------



## TonyKlein (Aug 26, 2001)

This is a familiar issue, and it's usually due to an ActiveX control on your computer having been uninstalled or deleted, while entries for the add-in program or ActiveX control still remain in the registry.

Quicktime or Netzip plugins are the main culprits.

This is how it's solved:

Create a new Text file on your desktop, and paste the following bold text into it:

*REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Plugins\Extension]*

Save as _Extension.reg_ (save as 'all files' )

Doubleclick it, and answer 'yes' when asked whether you want to merge the contents of the file into the registry.

Reboot.

This ought to solve your problem.

Good luck,


----------



## NotRiteÂ² (Nov 7, 2002)

Try this link:

http://www.generation.net/~hleboeuf/ienewind.htm


----------



## The_Egg (Sep 16, 2002)

It'll be all the other spyware/scumware items in your startuplist which are causing the problems. These were installed with Kazaa.

Please go to:
Add/Remove Programs Control Panel
and remove new.net domains (newdotnet)
http://doxdesk.com/parasite/NewDotNet.html

If it's there, also remove MediaDownloads (Medialoads Enhanced)

Also, if you didn't install it yourself, please also remove Weatherbug. This is also a known source of spyware.

There's also a lot of curious entries in your Download Program Files section.

Now download and install Use Spybot Search & Destroy

This will get rid of any remnants of new.net and Medialoads, and will also get rid of all other spyware/scumware.

Instructions for use:

Close all browser windows

Open Spybot S&D for the first time
Select Country & click out of the setup section (Next button)

Click "Online" button, click "check for updates"
(note: you need to be online for this)
Checkmark and download the latest Includes/Updates
(skins/languages aren't important)

Click "Settings" button, click "File Sets"
Uncheck "Usage Tracking" and "System Internals"

Go back to main "Spybot S&D" button
Click "Check for problems"

Let the scan run

When done, all spyware/adware/etc will be auto checked in the results,
so just click "Fix selected problems" and let Spybot S&D fix everything.

If you are prompted that some files are in use and can't be deleted,
Click "Yes" to allow Spybot S&D to run on reboot.

Reboot
Spybot S&D will load before the Windows GUI
Run the scan again and let Spybot S&D complete its task.
When you see "congratulations, no spybots found" in the main window,
that's when you know you're clean.

Close Spybot S&D and Windows GUI will load.

Please post an updated StartUpList when done


----------



## TonyKlein (Aug 26, 2001)

This is getting confusing, with all these different questions going on in one and the same thread... 

I'd like to emphasize that the Regfile I posted has nothing to do with New Windows not opening, but serves solely to fix docjava's download problem.


----------

