• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Reg

CWS Please Help

37 posts in this topic

CWS and SaveNow on my machine can be found but not removed by CWShredder, Ad-aware, Spybot, and Xoft.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 3:37:21 AM, on 6/27/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1

O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2

O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2

O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt

O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt

O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt

O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9

O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt

O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a

O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b

O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax

O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh

O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup

O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a

O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora

O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1

O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1

O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2

O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1

O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2

O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3

O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4

O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5

O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6

O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7

O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur

O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb

O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1

O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2

O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3

O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4

O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5

O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6

O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur

O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb

O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1

O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2

O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3

O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4

O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5

O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6

O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7

O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8

O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9

O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10

O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11

O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12

O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13

O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14

O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur

O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb

O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1

O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2

O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3

O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4

O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5

O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6

O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7

O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8

O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9

O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10

O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11

O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12

O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13

O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14

O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15

O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16

O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17

O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18

O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19

O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20

O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21

O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22

O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23

O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24

O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25

O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26

O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27

O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28

O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29

O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30

O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31

O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32

O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33

O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34

O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35

O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36

O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37

O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38

O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39

O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40

O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41

O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42

O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43

O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44

O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45

O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur

O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb

O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1

O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2

O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O15 - Trusted Zone: www.mt-download.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

Share this post


Link to post
Share on other sites

I tweaked Ad-aware as per instructions to Sherre in a post here and found some 70 problems, including several registry entries for CWS. Here is the new HijackThis log:

Logfile of HijackThis v1.97.7

Scan saved at 7:09:46 PM, on 6/27/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1

O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2

O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2

O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt

O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt

O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt

O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9

O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt

O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a

O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b

O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax

O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh

O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup

O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a

O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora

O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1

O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1

O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2

O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1

O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2

O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3

O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4

O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5

O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6

O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7

O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur

O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb

O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1

O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2

O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3

O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4

O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5

O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6

O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur

O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb

O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1

O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2

O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3

O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4

O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5

O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6

O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7

O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8

O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9

O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10

O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11

O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12

O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13

O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14

O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur

O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb

O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1

O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2

O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3

O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4

O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5

O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6

O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7

O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8

O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9

O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10

O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11

O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12

O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13

O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14

O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15

O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16

O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17

O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18

O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19

O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20

O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21

O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22

O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23

O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24

O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25

O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26

O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27

O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28

O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29

O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30

O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31

O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32

O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33

O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34

O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35

O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36

O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37

O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38

O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39

O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40

O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41

O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42

O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43

O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44

O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45

O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur

O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb

O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1

O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2

O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL

O2 - BHO: (no name) - {3D9FC8C2-C86A-11D8-A1EC-001086B98B0B} - C:\WINDOWS\SYSTEM\BBLPGAA.DLL (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

 

Thanks for any assistance.

Share this post


Link to post
Share on other sites

THis is last log posted in wrong thread:

 

I posted my first HJT log on 6-25 re CWS. Since then I believe that I have 95% eliminated the thing with the BobO method. However, I would really like to have someone take a quik look at my post clean-up log, particularly suspicious entries R1 HomeOlsSP, the 02s, and 03 shdocv.dll (that I think is Tiny Bar; if, so how do I deal with that?). I don't mean to complain about waiting, but I feel that I am close to a solution and just need a couple of minutes. this is a terrific board. Thanks for the help.

 

Logfile of HijackThis v1.97.7

Scan saved at 8:27:27 PM, on 6/29/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

C:\HIJACKTHIS.EXE

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1

O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2

O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2

O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt

O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt

O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt

O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9

O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt

O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a

O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b

O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax

O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh

O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup

O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a

O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora

O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1

O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1

O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2

O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1

O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2

O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3

O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4

O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5

O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6

O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7

O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur

O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb

O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1

O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2

O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3

O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4

O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5

O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6

O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur

O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb

O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1

O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2

O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3

O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4

O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5

O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6

O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7

O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8

O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9

O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10

O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11

O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12

O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13

O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14

O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur

O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb

O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1

O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2

O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3

O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4

O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5

O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6

O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7

O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8

O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9

O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10

O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11

O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12

O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13

O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14

O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15

O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16

O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17

O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18

O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19

O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20

O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21

O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22

O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23

O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24

O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25

O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26

O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27

O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28

O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29

O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30

O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31

O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32

O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33

O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34

O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35

O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36

O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37

O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38

O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39

O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40

O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41

O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42

O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43

O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44

O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45

O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur

O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb

O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1

O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2

O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL

O2 - BHO: (no name) - {81078902-C8FF-11D8-A1EC-0010B8E6A557} - C:\WINDOWS\SYSTEM\BPEAAEA.DLL (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

Share this post


Link to post
Share on other sites

Download FindnFix.exe from here:

http://freeatlast100.100free.com/index.html or

http://downloads.subratam.org/FINDnFIX.exe

 

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

 

Open the FindnFix folder and double click on !LOG!.bat

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

Relax, sit back and wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

 

When the program is finished:

 

Open the FindnFix folder.

1. Post the contents of Log.txt in this thread.

2. Attach file Win.txt to the same post. (Please attach, do not post)

(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)

Share this post


Link to post
Share on other sites

Thank you so much for responding. FindnFix is asking to add items to my registry. Should i do that? My OS is Win 98.

Share this post


Link to post
Share on other sites

NO and my apologies. FindnFix is for Win 2K and XP, not 98.

 

Delete the FindnFix folder from your computer.

 

Then....

 

Download: "StartDreck", from here:

http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

http://www.niksoft.at/download/startdreck.htm

 

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

Share this post


Link to post
Share on other sites

StartDreck (build 2.1.5 public BETA) - 2004-06-29 @ 22:38:47

Platform: Windows 98 SE (Win 4.10.2222 A)

 

»Registry

»Run Keys

»Current User

»Run

»RunOnce

*QRIA=

»Default User

»Run

»RunOnce

*QRIA=

»Local Machine

»Run

*ScanRegistry=c:\windows\scanregw.exe /autorun

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*POINTER=point32.exe

*SystemTray=SysTray.Exe

*PTSNOOP=ptsnoop.exe

*CountrySelection=pctptt.exe

*Installed=1

*NoChange=1

*Installed=1

*Installed=1

»RunOnce

»RunServices

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

»RunServicesOnce

»RunOnceEx

»RunServicesOnceEx

»Files

»System/Drivers

»Running Processes

*FFCF26F7=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFFD15B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFFE62B=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFE6733=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFE0D53=C:\WINDOWS\EXPLORER.EXE

*FFFD05F3=C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

*FFFD6203=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFD38F7=C:\WINDOWS\ptsnoop.exe

*FFFDCFDF=C:\WINDOWS\SYSTEM\WMIEXE.EXE

*FFFB6D33=C:\WINDOWS\SYSTEM\DDHELP.EXE

*FFFB3D07=C:\WINDOWS\SYSTEM\SPOOL32.EXE

*FFFC227B=C:\WINDOWS\SYSTEM\HPHIPM11.EXE

*FFFA7FF7=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFFC185B=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE

»Application specific

Share this post


Link to post
Share on other sites

Thanks, the scan was negative for th ehidden dll. must have been leftover entries;

 

 

Check the following items in HiJackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL

O2 - BHO: (no name) - {81078902-C8FF-11D8-A1EC-0010B8E6A557} - C:\WINDOWS\SYSTEM\BPEAAEA.DLL

 

Close all browser and explorer windows and press 'Fix Checked'

 

 

Post another HiJackThis log in this thread for final review.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:20:20 PM, on 6/29/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\HPHIPM11.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1

O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2

O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2

O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt

O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt

O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt

O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9

O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt

O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a

O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b

O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax

O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh

O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup

O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a

O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora

O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1

O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1

O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2

O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1

O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2

O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3

O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4

O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5

O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6

O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7

O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur

O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb

O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1

O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2

O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3

O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4

O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5

O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6

O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur

O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb

O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1

O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2

O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3

O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4

O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5

O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6

O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7

O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8

O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9

O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10

O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11

O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12

O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13

O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14

O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur

O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb

O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1

O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2

O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3

O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4

O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5

O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6

O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7

O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8

O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9

O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10

O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11

O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12

O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13

O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14

O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15

O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16

O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17

O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18

O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19

O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20

O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21

O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22

O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23

O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24

O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25

O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26

O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27

O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28

O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29

O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30

O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31

O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32

O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33

O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34

O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35

O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36

O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37

O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38

O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39

O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40

O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41

O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42

O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43

O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44

O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45

O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur

O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb

O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1

O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2

O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

Share this post


Link to post
Share on other sites

Unlessyou need them none whatsoever. They were all for the EPA and iasu,ed you put them there.

Share this post


Link to post
Share on other sites

OK. Am I clean? What about the 03 shdocvw.dll ? I read somewhere that it is a parasite. And, I cannot tell you how much I appreciate your help.

Share this post


Link to post
Share on other sites

I removed most of the Hosts. I think I have a Notes program that is automatically adding them. Latest HJT log attached. Thank you again.

Logfile of HijackThis v1.97.7

Scan saved at 10:00:05 AM, on 6/30/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\HPHIPM11.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O1 - Hosts: 161.80.11.133 admin_lan

O1 - Hosts: 134.67.208.97 epahubx

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

Share this post


Link to post
Share on other sites

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

Share this post


Link to post
Share on other sites

Thank you so much. I will follow your advice above. Two quick questions. What about the 03 shdocvw.dll in my HJT log? I read somewhere that it is a parasite. Any thoughts about Norton anti-virus instead of or in addition to the programs you recommend?

Share this post


Link to post
Share on other sites

Ah ,the backyard geniuses that want you to delete shdocvw.dll. Ask tehm to delete their copy first. Google will give you a lot of info about it. I simple terms, do not delete it, MS depends upon it!!

 

An AV is mandatory if you surf the net and evevn if you don't!!! Norton is g ood, as are several others. Somebody will always tell you your AV is no good. For me, it is a matter of personal choice.

Share this post


Link to post
Share on other sites

I should have googled first. Thank you so much for your help. You all are just amazing to offer your time and expertise. I am encouraged that there are folks like you to keep the jerks that propogate this stuff at bay. Peace.

Share this post


Link to post
Share on other sites

I think norton is basically useless with some of this stuff. They are aimed more at hard core viruses. I belive if you are unsure about a .dll, or .exe, you can use google to search it you should be able to tell if its a random and/or bad name. Personally i would search ur processes and stuff that end with 32 and/or have add anywhere in the name. When my comp was hijacked, most of the random files had 32, add, or looked a LOT like regular windows files.

Share this post


Link to post
Share on other sites

I am back and in some pain. IE will not download. Downloaded IE6 and ZoneAlert via Netscapt. ZoneAlert found and supposedly eliminated new virus, including Bagel. IE 6 still will not download and Netscape is real shakey with Zone Alert on. HJT showed O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing. Ran LSP fix from cexx.org and the R10 is gone, but IE still will not download. Here is the latest HJT log. Any Ideas. Thanks.

Logfile of HijackThis v1.97.7

Scan saved at 11:38:39 PM, on 7/1/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

Share this post


Link to post
Share on other sites

Reg,

 

Lesson #1 in spyware removal. Just because its listed by HiJackThis does not mean its bad.

 

This file, Imslsp.dll, belongs to ZoneAlarm, and guess what??: You just broke it by removing that file with LSPFix.

 

Now, if you want me to continue working on your log, you do not remove anything without my permission first. I cannot work on a log when you are busy making changes.

 

Good luck fixing ZA!

Share this post


Link to post
Share on other sites

OK. I will absolutely wait for you. I had to reboot because the machine froze. Here is a new log. I would be most pleased if you could take a look, and I will not touch a thing until I hear from you.

Logfile of HijackThis v1.97.7

Scan saved at 12:47:40 AM, on 7/2/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Translate (HKLM)

O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)

O9 - Extra 'Tools' menuitem: AV Home (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: MSN (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

Share this post


Link to post
Share on other sites

OK, first order of business for you is to uninstall ZoneAlarm, delete any leftovers, reboot and the install it again. RIghtnow you have no firewall.

 

Then download HiJackThis again, there is anew version out. (198.0), RUn it and post the log in this thread. It has some additional detections.

 

Right now, your log is clean.

Share this post


Link to post
Share on other sites

Done on ZA, but I had to close it to get Netscape to run. New HJT 198.0 log attached.

Logfile of HijackThis v1.98.0

Scan saved at 1:29:31 AM, on 7/2/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\HIJACKTHIS 2.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE

O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Share this post


Link to post
Share on other sites

This is the bad entry that is causing all the problems: O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll, but we cannot use HiJackThis to remove it since shdocvw.dll is needed system file.

 

We will take it out using Regedit.

 

Start --> Run --> regedit

 

 

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

 

Then find and delete this subkey:

{82599E0A-8C81-11d7-9F97-0050FC5441CB}

 

Close regedit, reboot, run HiJackThis again and post a new log.

Share this post


Link to post
Share on other sites

LoPhat, I have been away from my machine for a couple of days. I have followed your directions re regedit and a new HJT log is attached. When I tried to upload this with IE, I got an illegal op messsage and everything shut down. Also, I still have to close ZA to get Netscape to load. Does Rubber Ducky have a fix above? I await your instructions.

 

Logfile of HijackThis v1.98.0

Scan saved at 2:19:34 AM, on 7/5/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\HIJACKTHIS 2.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE

O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Share this post


Link to post
Share on other sites

Nothing in yout log but the one R1 entry came back.

 

Check the following in HiJackThis:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

Close all windows exccept HiJackThis and press 'Fix Checked'

 

 

It certainly can't hurt to try Rubber Ducky's fix. Run it twice!!

 

Please download About:Buster from one of the following locations:

http://www.atribune.org/downloads/AboutBuster.zip or

http://tools.zerosrealm.com/AboutBuster.zip

 

Unzip about:buster to it's own folder.

 

 

=== Run About:Buster ===

Close all open windows.

 

Open the about:buster folder.

Double click on the program.

 

Next click 'OK'and allow the program to run. (it may take a few minutes)

 

Make a copy of the log it creates for posting later.

 

Then run the About:Buster a second time just to be sure it got everything.

 

Make a copy of the log it creates again.

 

Reboot.

 

Post both of the about:buster logs in this thread.

 

Run HiJackThis again, and post the log in this thread.

Share this post


Link to post
Share on other sites

Both Buster logs:

About Buster Version 1.24

Attempted Clean of Temp Folder

Pages Reset ... Done

 

latest HJT log

Logfile of HijackThis v1.98.0

Scan saved at 2:21:16 PM, on 7/5/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\HIJACKTHIS 2.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE

O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Share this post


Link to post
Share on other sites

OK, lets wait and see if anything comes back,

 

I am not sure about the IE issue. Removing that toolbar entry shuold not cause IE to crash on upload. Reboot and try again. If it still crashes you may need to do a repair installation of IE.

Share this post


Link to post
Share on other sites

OK. I ran Ad-aware, Spybot, Buster, and CWShredder again. Pretty much negative (Ad-aware found Alexa), but when I opened the Shredder, it said that I have a variant of Cool Web Search "CWS.Smartsearch.2" that was trying to prevent the Shredder from opening. It hterefore went to a random srting and ran anyway, but found nothing. IE is working some but will not load certain sites (spywareinfo.com. for example), and when I try to download critical windows updates IE shuts down. Netscape has been stuck on an alta-vista homepage (despite what it says in HJT) and will not change. IE homepage changed to Google, I think after I ran the buster. I could remove IE6 and revert to IE4, but I had the same problems with IE4. Oh, I still have to close ZA to get Netscape to load anything. Any other ideas. I do appreciate your help. Latest HJT lod attached.

 

Logfile of HijackThis v1.98.0

Scan saved at 4:27:22 PM, on 7/5/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

C:\HIJACKTHIS 2.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE

O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Share this post


Link to post
Share on other sites

THe log look good. Try resetting your Hosts file and see if that makes any difference.

 

=== Begin Hosts File Reset ===

1.Download the Hoster from here:

http://members.aol.com/toadbee/hoster.zip

2. Install the program and run it.

3. Press 'Restore Original Hosts' and press 'OK'

4. Exit Program.

 

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.

Share this post


Link to post
Share on other sites

Did the Hoster. No change in anything. Oh, I was able to get to the board (slowly) via IE, but as soon as I tried to Add Reply, IE closed.

Share this post


Link to post
Share on other sites

It's back. Gave up on IE and removed Netscape. Downloaded Mozilla Firefox which is great. Anyway, I ran Ad-Aware tonight and CWS came up all over. Ad-aware supposedly removed it. CWShredder said I was clean afterward. Buster was clean. Here is the lasest HJT log. This is depressing. Thanks again for the help.

 

Logfile of HijackThis v1.98.0

Scan saved at 1:25:43 AM, on 7/7/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE

C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE

C:\HIJACKTHIS 2.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=2c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE (file missing)

O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)

O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll

O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Share this post


Link to post
Share on other sites

You are clean again. I see your firewall but no Anti Virus. An AV is mandatory if you are on the 'net. Try AVG, it's free, and so is AVAST. Google will give you the websites.

 

At last, your system is clean and free of spyware! Want to keep it that way?

 

Here are some simple steps you can take to reduce the chance of infection in the future.

 

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

 

1. Adjust your security settings for ActiveX:]

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

 

2. Download and install the following free programs

a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

1. Install Spyware Detection and Removal Programs:

You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. AdAware: http://www.lavasoft.de/

b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download

 

 

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

 

 

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Share this post


Link to post
Share on other sites

LoPhat,

Thank you for your reply. I thought I was running an introductory ZA Suite with a firewall and AV, but I will check. I will try AVG. I have already adjusted my IE security settings, and I will download and install SpywareBlaster and Guard and IE/Spyad. IE still will not download; specifically, at Windows Update, it will scan and locate critical updates, but it freezes when I try to download them. Windows Update will not run on Mozilla. I downloaded a couple of updates from the MS download center via Mozilla, but it is awkward to locate them all there. Am I missing something about the updates? Also, any idea why Ad-aware identified and, I guess, removed CWS again last night? Finally, assuming that I can get the os updated, can I just forget IE and use Mozilla? Thank you again so much for your interest and assistance. You and this board are great.

Share this post


Link to post
Share on other sites

You can use FireFox or Opera, instead of Internet Explorer, but keep IE updated. You will still need it to use Windows Updates.

 

After finding a few extensions that make posting on boards easier I have FireFox as my default browser.

Share this post


Link to post
Share on other sites

OK. I will use Firefox as my default. My remaining problem, though, is that IE will NOT download critical windows updates. Any suggestions?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0