• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Dave_K

Can't download Hijack This

39 posts in this topic

This is my first post here. I got hijacked last week by someone taking my browser to "res://mshp.dll/index.html#37049" as the homepage. It also gave me a lot of pop-ps but I wsa otherwise able to navigate normally (albeit slowly). I downloaded Spybot last night. It took care of most the pop-ups but I still get hijacked.

I tried to download HijackThis, but got a message that file :MSVBVM60>DLL was not found. Is this another feature of the spyware or just something my computer (I'm running Windows 98) is lacking?

Share this post


Link to post
Share on other sites

Please download Coolweb Shredder from here. Unzip it into its own folder and run it hitting fix as opposed to scan only.

 

Then reboot and try to download hijackthis again, extract it to its own folder and post a log as a reply to this thread. Here are some alternative download locations.

 

http://www.zerosrealm.com/downloads/hjt.zip

 

http://www.spywareinfo.com/downloads/tools/HijackThis.exe

 

http://lurkhere.com/~nicefiles/hijackthis1977.zip

Share this post


Link to post
Share on other sites

Actually, I checked again. Both HijackThis and CWShredder are in my C drive, but I can't open them. Each one gives me the same message that a required DLL file MSVBVM60.DLL is not found. IS this still a download problem?

Share this post


Link to post
Share on other sites

Similar problem- maybe someone knows if it's really the Same Problem, but XP instead of 98- Cannot download HJT from any site, gets up to 140s of 153KB file and message comes up saying 'CANNOT READ FROM SOURCE DISK'. ALso cannot load from floppy or CD- the drives refuse to 'see' the HJT file. Will not see CWShredder either, but got it to run by typing cwshredder.exe in RUN. If drive won't see HJT, cannot move it to folder, so cannot generate log. Even mIxed in with other files, they're all visible except Shredder and HJT. Already ran minitool. Get hijacked to some "outhost" website. Something regenerates it in registry keys on reboot. Any answers for us?

Share this post


Link to post
Share on other sites

This error means that you need to upgrade the version of Visual Basic installed on your computer to version 6. You can download what you need at this link: http://download.microsoft.com/download/vb6.../vbrun60sp5.exe

 

thorongil if you would like to start your own thread I'm sure someone will come along and help you.

Edited by nellie2

Share this post


Link to post
Share on other sites

Sucess!

Here's the log file.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:25:54 AM, on 6/16/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\CRNA32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\WINDOWS\SYSTEM\IEOH.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aheqt.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aheqt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aheqt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\aheqt.dll/sp.html#37049

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEXL\NTHA32.DLL (file missing)

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\SYSQE\SYSQE.DLL (file missing)

O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\SYSQE\ATLID32.DLL (file missing)

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\PROGRAM FILES\SUBMIT\SUBMITHOOK.DLL

O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\ATLSI.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\Run: [image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install

O4 - HKLM\..\Run: [iEOH.EXE] C:\WINDOWS\SYSTEM\IEOH.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - HKCU\..\RunServices: [image] rundll32 C:\WINDOWS\SDKQH32.DLL,Install

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

Edited by Dave_K

Share this post


Link to post
Share on other sites

Hi Dave!

 

You have a coolweb infection! Download CWShredder from here, extract it to it's own folder and then run it with all other windows closed and hit fix as opposed to scan only. Let it fix anything it finds.

 

Then go here and do an online virus scan.

 

I see you have Spybot Search and destroy, please click on the update button to make sure that you have the latest updates. Also, ensure you have version 1.3 final. If not then you can get it from this link, but make sure you uninstall the old version before installing the new version.

Home - The home of Spybot-S&D!: http://www.safer-networking.org/

 

Run Spybot search and Destroy and then reboot.

 

Then, download Adaware(please ensure you have version 6 build 6. 181)

Downloads - Support - Lavasoft#free: http://www.lavasoftusa.com/support/download/#free

 

The following explains how to set Ad-aware's settings to perform a "Full Scan."

And some settings that should be made prior to using the first time.

 

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

 

Under Memory & Registry, Check EVERYTHING

 

In Check Drives & Folders, make sure all of your hard drives are selected

 

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

 

In Scanning Engine:

Unload recognized processes during scanning

 

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

 

UNCHECK Automatically try to unregister objects prior to deletion

 

Click Proceed to save these settings.

Now press "check for updates Now" Always check before scanning.

Click start [x] choose use default scanning options

click next and let it fix anything it finds

 

Reboot

http://www.lavahelp.com/howto/fullscan/index.html

 

Then post me a fresh hijack log please :wave:

Share this post


Link to post
Share on other sites

Hi, Nellie. Hope you've had a good weekend, and thanks for helping. I finally got a chance to do all this and here's the Hijack This log:

Logfile of HijackThis v1.97.7

Scan saved at 11:12:07 PM, on 6/21/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\CRNA32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\WINDOWS\SYSTEM\IEOH.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\HP INSTANT SUPPORT\COMMON\MOTIVEDIRECTORY.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aheqt.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aheqt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aheqt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\aheqt.dll/sp.html#37049

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\SYSQE\SYSQE.DLL (file missing)

O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\ATLSI.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\Run: [iEOH.EXE] C:\WINDOWS\SYSTEM\IEOH.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

 

I'm still getting the pop-ups and malicious homepage. Any ideas?

Share this post


Link to post
Share on other sites

Hi Dave_K

 

First of all can you put hijackthis into its own folder, when we do a fix it will make backups and if you just leave it at the root of your C drive you will get backups all over your C drive!

 

Then can you make sure that adaware is updated and that you have the lates reference files.

 

Then boot into safe mode, run hijackthis and fix the following;

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aheqt.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aheqt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aheqt.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\aheqt.dll/sp.html#37049

 

O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)

O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\SYSQE\SYSQE.DLL (file missing)

 

O4 - HKLM\..\Run: [iEOH.EXE] C:\WINDOWS\SYSTEM\IEOH.EXE

O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE

 

then search for and delete these files

 

C:\WINDOWS\SYSTEM\IEOH.EXE

C:\WINDOWS\CRNA32.EXE

 

Then still in safe mode, run Adaware, let it fix what it finds then reboot and post a fresh log!

Share this post


Link to post
Share on other sites

Hiya, Nellie. Here's the log:

 

Logfile of HijackThis v1.97.7

Scan saved at 9:55:40 PM, on 6/25/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\HP INSTANT SUPPORT\COMMON\MOTIVEDIRECTORY.EXE

C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

 

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\ATLSI.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

Share this post


Link to post
Share on other sites

Hi Dave.. we are nearly there.. I hope!! :p

 

You are now running hijackthis out of a temporary directory, can you create a folder in My Documents and call it 'hijack' or something similar, then move the hijackthis exe into this folder and run it from there.

 

Then boot into safe mode and fix this item in the same way that you did before

 

O2 - BHO: (no name) - {77B4CE71-F8EB-D009-07EA-8D5437684795} - C:\WINDOWS\ATLSI.DLL

 

Still in safe mode have a look for

 

C:\WINDOWS\ATLSI.DLL if you find it then delete it.

 

Reboot and post a fresh log please

Share this post


Link to post
Share on other sites

Hi, Nellie: Here's the log file. I couldn't find any programs C:\WINDOWS|ATLS.DLL but I did find a similar BHO when I ran HijackThis to get the log.

I thought about deleting it but then thought I should check with you first.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:25:42 PM, on 6/27/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\HP INSTANT SUPPORT\COMMON\MOTIVEDIRECTORY.EXE

C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\aheqt.dll/sp.html#37049

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: (no name) - {BDB24C00-14A7-757E-DA3B-70B5402AC77E} - C:\WINDOWS\ATLSI.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

Share this post


Link to post
Share on other sites

:cool:

 

Download: "StartDreck", from here:

http://members.blackbox.net/hp_links/21...tdreck.htm

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

Share this post


Link to post
Share on other sites

Nellie, when I tried to access that page I got a notice that "the page does not exist or you have entered the URL incorrectly". The main page is in German so I can't search for the program. Are you sure the address was right?

Share this post


Link to post
Share on other sites

Hi, Nellie.

Here it is:

 

StartDreck (build 2.1.5 public BETA) - 2004-07-05 @ 21:31:43

Platform: Windows 98 (Win 4.10.1998 )

 

»Registry

»Run Keys

»Current User

»Run

*Reminder=C:\Program Files\Microsoft Money\System\reminder.exe

»RunOnce

»Default User

»Run

*Reminder=C:\Program Files\Microsoft Money\System\reminder.exe

»RunOnce

»Local Machine

»Run

*SystemTray=SysTray.Exe

*AtiCwd32=Aticwd32.exe

*AtiKey=Atitask.exe

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*AccessRampMonitor="C:\Program Files\EarthLink\FastLane\ARMon32.exe"

*VsecomrEXE=C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

*Vshwin32EXE=C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

*mgavrtclexe=C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

*hpinstantsupport="c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

»RunOnce

»RunServices

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*SchedulingAgent=mstask.exe

*Vshwin32EXE=C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

*mgavrtclexe=C:\Windows\MCBin\AV\Rt\mgavrte.exe

*APPJK32.EXE=C:\WINDOWS\SYSTEM\APPJK32.EXE

»RunServicesOnce

»RunOnceEx

»RunServicesOnceEx

»File Associations (CR)

*.bat

*batfile="%1" %*

*.com

*comfile="%1" %*

*.disabled

*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"

*.exe

*exefile="%1" %*

*.hta

*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

*.htm

*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome

*.html

*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome

*.js

*JSFile=C:\Windows\WScript.exe "%1" %*

*.jse

*JSEFile=C:\Windows\WScript.exe "%1" %*

*.pif

*piffile="%1" %*

*.scr

*scrfile="%1" /S

*.txt

*txtfile=C:\Windows\NOTEPAD.EXE %1

*.vbs

*VBSFile=C:\Windows\WScript.exe "%1" %*

*.vbe

*VBEFile=C:\Windows\WScript.exe "%1" %*

*.wsh

*WSHFile=C:\Windows\WScript.exe "%1" %*

*.wsf

*WSFFile=C:\Windows\WScript.exe "%1" %*

*.lnk

`lnkfile= [key or value does not exist]

»Browser Helper Objects (LM)

*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

*{53707962-6F74-2D53-2644-206D7942484F}

`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

*Class/{BDB24C00-14A7-757E-DA3B-70B5402AC77E}

`InprocServer32=C:\WINDOWS\ATLSI.DLL

»Files

»Autostart Folders

»Current User

*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Greetings Reminders.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Reminder-hpc41001.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\CAMEDIA Master.lnk

»Default User

*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Greetings Reminders.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Reminder-hpc41001.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\CAMEDIA Master.lnk

»Local Machine

»INI-Files

»WIN.INI\[windows]

*LOAD=

*RUN=hpfsched

»SYSTEM.INI\[boot]

*SHELL=Explorer.exe

»Text Files

*C:\WINDOWS\msdos.sys

*C:\msdos.sys

*C:\config.sys

*C:\autoexec.bat

*C:\WINDOWS\dosstart.bat

*C:\WINDOWS\wininit.bak

»System/Drivers

»Running Processes

*FFCFE7FF=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFE3B9B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFE2D0B=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFE0BE7=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFEBADF=C:\WINDOWS\SYSTEM\MSTASK.EXE

*FFFE71EF=C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

*FFFED933=C:\WINDOWS\EXPLORER.EXE

*FFFD1F9F=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFD69F7=C:\WINDOWS\SYSTEM\ATICWD32.EXE

*FFFD1C57=C:\WINDOWS\SYSTEM\ATITASK.EXE

*FFFDB30F=C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

*FFFD89A3=C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

*FFFDC16B=C:\WINDOWS\CWD3DSND.EXE

*FFFC2323=C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

*FFFD99DB=C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

*FFFD498F=C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

*FFFCBC03=C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

*FFFCA873=C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

*FFFC846F=C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

*FFFC497F=C:\WINDOWS\SYSTEM\TAPISRV.EXE

*FFF97E9B=C:\WINDOWS\SYSTEM\DDHELP.EXE

*FFFD4893=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFFB602F=C:\WINDOWS\SYSTEM\RNAAPP.EXE

*FFF8DEAF=C:\WINDOWS\SYSTEM\PSTORES.EXE

*FFFAE28F=C:\STARTDRECK\STARTDRECK.EXE

»NT Services

»Application specific

 

(And did I tell you thanks for being so patient with me and giving so much help?)

Share this post


Link to post
Share on other sites

Hello Dave, I was wondering where you had gotten too!!! :)

 

I don't see the bad file I was expecting to see in the startdreck log! Which is a bit of a nuisance!! :(

 

Adaware however has been updated to deal with some of these variants.. so we will give that a go before anything else.

 

Open up Adaware and click on the check for updates link... download any updates and then boot into safe mode <--- this is important.

 

Run Adaware and let it fix what it finds, then reboot into normal mode... perhaps it may be an idea to reboot a couple of times... then post me a fresh log. If the problem is still there then I will ask for some help ;)

Share this post


Link to post
Share on other sites

:wave: Hi, Nellie. Actually I was on vacation for a bit. I should mention that you've done a lot of good already. I haven't seen a pop-up in a while and the coolweb bogus homepage is gone, replaced by the real msn.com page. I can't change the homepage setting though, and my computer's still real slow, so something is still lurking in there. :unsure:

Anyway, here's the log:

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Tuesday, July 06, 2004 9:00:42 PM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R329 06.07.2004

______________________________________________________

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

 

7-6-04 9:00:42 PM - Scan started. (Smart mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [kernel32.dll]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4291816133

Threads : 5

Priority : High

FileSize : 460 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1991-1998

CompanyName : Microsoft Corporation

FileDescription : Win32 Kernel core component

InternalName : KERNEL32

OriginalFilename : KERNEL32.DLL

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:2 [msgsrv32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294850209

Threads : 1

Priority : Normal

FileSize : 11 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1992-1998

CompanyName : Microsoft Corporation

FileDescription : Windows 32-bit VxD Message Server

InternalName : MSGSRV32

OriginalFilename : MSGSRV32.EXE

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:3 [mprexe.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294844465

Threads : 1

Priority : Normal

FileSize : 28 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1993-1998

CompanyName : Microsoft Corporation

FileDescription : WIN32 Network Interface Service Process

InternalName : MPREXE

OriginalFilename : MPREXE.EXE

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:4 [mmtask.tsk]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294837537

Threads : 1

Priority : Normal

FileSize : 1 KB

FileVersion : 4.03.1998

ProductVersion : 4.03.1998

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Multimedia background task support module

InternalName : mmtask.tsk

OriginalFilename : mmtask.tsk

ProductName : Microsoft Windows

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:5 [mstask.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294883325

Threads : 2

Priority : Normal

FileSize : 109 KB

FileVersion : 4.71.1972.1

ProductVersion : 4.71.1972.1

Copyright : Copyright © Microsoft Corp. 2000

CompanyName : Microsoft Corporation

FileDescription : Task Scheduler Engine

InternalName : TaskScheduler

OriginalFilename : mstask.exe

ProductName : Microsoft

Created on : 6/18/03 2:32:18 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 6/18/03 2:32:20 AM

 

#:6 [vshwin32.exe]

FilePath : C:\PROGRAM FILES\PLUS!\VIRUSCAN\

ProcessID : 4294868205

Threads : 3

Priority : Normal

FileSize : 139 KB

FileVersion : 3.1.6

ProductVersion : 3.1.6

Copyright : Copyright

CompanyName : Network Associates Inc

FileDescription : VShield

InternalName : VShield

OriginalFilename : VSHWIN95.EXE

ProductName : McAfee VirusScan

Created on : 5/22/99 12:37:31 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/1/98 8:01:02 PM

 

#:7 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294901165

Threads : 11

Priority : Normal

FileSize : 176 KB

FileVersion : 4.72.3110.1

ProductVersion : 4.72.3110.1

Copyright : Copyright © Microsoft Corp. 1981-1997

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft® Windows NT® Operating System

Created on : 5/12/98 12:01:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:8 [systray.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294799361

Threads : 1

Priority : Normal

FileSize : 36 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1993-1998

CompanyName : Microsoft Corporation

FileDescription : System Tray Applet

InternalName : SYSTRAY

OriginalFilename : SYSTRAY.EXE

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:9 [aticwd32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294799561

Threads : 1

Priority : Normal

FileSize : 20 KB

FileVersion : 4.10.2339

ProductVersion : 4.10.2339

Copyright : Copyright

CompanyName : ATI Technologies Inc.

FileDescription : ATI Common Windows Display Driver Extension

InternalName : ATICWD32

OriginalFilename : ATICWD32.EXE

ProductName : ATI Technologies Inc.

Created on : 9/30/98 5:30:55 PM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 3/23/98 11:11:56 AM

 

#:10 [atitask.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294817897

Threads : 1

Priority : Normal

FileSize : 184 KB

FileVersion : 4.10.2304

ProductVersion : 4.10.2304

Copyright : Copyright

CompanyName : ATI Technologies, Inc.

FileDescription : ATI Task Application

InternalName : AtiTask

OriginalFilename : AtiTask

ProductName : ATI Technologies, Inc.

Created on : 9/30/98 5:30:54 PM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 6/3/98 7:22:58 PM

 

#:11 [armon32.exe]

FilePath : C:\PROGRAM FILES\EARTHLINK\FASTLANE\

ProcessID : 4294807965

Threads : 2

Priority : Normal

FileSize : 61 KB

FileVersion : 4,0,0,2

ProductVersion : 4,0,0,27

Copyright : Copyright

CompanyName : Inverse Network Technology

FileDescription : ARMon32

InternalName : ARMon32

OriginalFilename : ARMon32.exe

ProductName : Inverse IP InSight

Created on : 5/18/99 2:19:33 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 3/17/99 11:23:48 PM

 

#:12 [reminder.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\

ProcessID : 4294826429

Threads : 1

Priority : Normal

FileSize : 35 KB

FileVersion : 7.00.0724

ProductVersion : 7.00.0724

Copyright : Copyright © Microsoft Corp. 1990-1998. All rights reserved.

CompanyName : Microsoft Corporation

FileDescription : Microsoft Money Reminder

InternalName : REMINDER

OriginalFilename : REMINDER.EXE

ProductName : Microsoft Money

Created on : 7/25/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 7/25/98 4:00:00 AM

 

#:13 [cwd3dsnd.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294706365

Threads : 1

Priority : Normal

FileSize : 202 KB

FileVersion : 4.05.2720

ProductVersion : 4.05.2720

Copyright : Copyright

CompanyName : Crystal Semiconductor, Inc.

FileDescription : Crystal 3D Audio Control

InternalName : CWD3DSND

OriginalFilename : CWD3DSND.EXE

ProductName : Crystal Ware Windows Audio Drivers

Created on : 9/30/98 5:31:02 PM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 4/1/98 4:27:20 AM

 

#:14 [findfast.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\

ProcessID : 4294734857

Threads : 2

Priority : Normal

FileSize : 108 KB

Copyright :

 

Created on : 8/19/97 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/19/97 4:00:00 AM

 

#:15 [osa.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\

ProcessID : 4294724589

Threads : 1

Priority : Normal

FileSize : 50 KB

Created on : 8/19/97 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/19/97 4:00:00 AM

 

#:16 [wkcalrem.exe]

FilePath : C:\PROGRAM FILES\MSWORKS\CALENDAR\

ProcessID : 4294748897

Threads : 2

Priority : Normal

FileSize : 66 KB

FileVersion : 1,0,1,1921

ProductVersion : 1,0,1,1921

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Works Calendar Advise/Reminder Server

InternalName : Advise Server

OriginalFilename : WKCALREM.EXE

ProductName : Microsoft Works

Created on : 7/21/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 7/21/98 4:00:00 AM

 

#:17 [mhprmind.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\

ProcessID : 4294745285

Threads : 1

Priority : Normal

FileSize : 40 KB

FileVersion : 3, 0, 1, 2006

ProductVersion : 3, 0, 0, 0

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Graphics Studio Home Publishing & Greetings

InternalName : Microsoft Graphics Studio Home Publishing & Greetings

OriginalFilename : MHPRMNDD.EXE

ProductName : Microsoft Graphics Studio Home Publishing & Greetings

Created on : 8/13/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/13/98 4:00:00 AM

 

#:18 [remind32.exe]

FilePath : C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\

ProcessID : 4294738249

Threads : 1

Priority : Normal

FileSize : 66 KB

Copyright : : Microsoft Corporation

FileDescription : Microsoft Graphics Studio Home Publishing & Greetings

InternalName : Microsoft Graphics Studio Home Publishing & Greetings

OriginalFilename : MHPRMNDD.EXE

ProductName : Microsoft Graphics Studio Home Publishing & Greetings

Created on : 8/13/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/13/98 4:00:00 AM

Share this post


Link to post
Share on other sites

:wave: Hi, Nellie. Actually I was on vacation for a bit. I should mention that you've done a lot of good already. I haven't seen a pop-up in a while and the coolweb bogus homepage is gone, replaced by the real msn.com page. I can't change the homepage setting though, and my computer's still real slow, so something is still lurking in there. :unsure:

Anyway, here's the log:

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Tuesday, July 06, 2004 9:00:42 PM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R329 06.07.2004

______________________________________________________

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

 

7-6-04 9:00:42 PM - Scan started. (Smart mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [kernel32.dll]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4291816133

Threads : 5

Priority : High

FileSize : 460 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1991-1998

CompanyName : Microsoft Corporation

FileDescription : Win32 Kernel core component

InternalName : KERNEL32

OriginalFilename : KERNEL32.DLL

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:2 [msgsrv32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294850209

Threads : 1

Priority : Normal

FileSize : 11 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1992-1998

CompanyName : Microsoft Corporation

FileDescription : Windows 32-bit VxD Message Server

InternalName : MSGSRV32

OriginalFilename : MSGSRV32.EXE

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:3 [mprexe.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294844465

Threads : 1

Priority : Normal

FileSize : 28 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1993-1998

CompanyName : Microsoft Corporation

FileDescription : WIN32 Network Interface Service Process

InternalName : MPREXE

OriginalFilename : MPREXE.EXE

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:4 [mmtask.tsk]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294837537

Threads : 1

Priority : Normal

FileSize : 1 KB

FileVersion : 4.03.1998

ProductVersion : 4.03.1998

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Multimedia background task support module

InternalName : mmtask.tsk

OriginalFilename : mmtask.tsk

ProductName : Microsoft Windows

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:5 [mstask.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294883325

Threads : 2

Priority : Normal

FileSize : 109 KB

FileVersion : 4.71.1972.1

ProductVersion : 4.71.1972.1

Copyright : Copyright © Microsoft Corp. 2000

CompanyName : Microsoft Corporation

FileDescription : Task Scheduler Engine

InternalName : TaskScheduler

OriginalFilename : mstask.exe

ProductName : Microsoft

Created on : 6/18/03 2:32:18 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 6/18/03 2:32:20 AM

 

#:6 [vshwin32.exe]

FilePath : C:\PROGRAM FILES\PLUS!\VIRUSCAN\

ProcessID : 4294868205

Threads : 3

Priority : Normal

FileSize : 139 KB

FileVersion : 3.1.6

ProductVersion : 3.1.6

Copyright : Copyright

CompanyName : Network Associates Inc

FileDescription : VShield

InternalName : VShield

OriginalFilename : VSHWIN95.EXE

ProductName : McAfee VirusScan

Created on : 5/22/99 12:37:31 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/1/98 8:01:02 PM

 

#:7 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294901165

Threads : 11

Priority : Normal

FileSize : 176 KB

FileVersion : 4.72.3110.1

ProductVersion : 4.72.3110.1

Copyright : Copyright © Microsoft Corp. 1981-1997

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft® Windows NT® Operating System

Created on : 5/12/98 12:01:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:8 [systray.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294799361

Threads : 1

Priority : Normal

FileSize : 36 KB

FileVersion : 4.10.1998

ProductVersion : 4.10.1998

Copyright : Copyright © Microsoft Corp. 1993-1998

CompanyName : Microsoft Corporation

FileDescription : System Tray Applet

InternalName : SYSTRAY

OriginalFilename : SYSTRAY.EXE

ProductName : Microsoft® Windows® Operating System

Created on : 1/1/01

Last accessed : 7/6/04 4:00:00 AM

Last modified : 5/12/98 12:01:00 AM

 

#:9 [aticwd32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294799561

Threads : 1

Priority : Normal

FileSize : 20 KB

FileVersion : 4.10.2339

ProductVersion : 4.10.2339

Copyright : Copyright

CompanyName : ATI Technologies Inc.

FileDescription : ATI Common Windows Display Driver Extension

InternalName : ATICWD32

OriginalFilename : ATICWD32.EXE

ProductName : ATI Technologies Inc.

Created on : 9/30/98 5:30:55 PM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 3/23/98 11:11:56 AM

 

#:10 [atitask.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294817897

Threads : 1

Priority : Normal

FileSize : 184 KB

FileVersion : 4.10.2304

ProductVersion : 4.10.2304

Copyright : Copyright

CompanyName : ATI Technologies, Inc.

FileDescription : ATI Task Application

InternalName : AtiTask

OriginalFilename : AtiTask

ProductName : ATI Technologies, Inc.

Created on : 9/30/98 5:30:54 PM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 6/3/98 7:22:58 PM

 

#:11 [armon32.exe]

FilePath : C:\PROGRAM FILES\EARTHLINK\FASTLANE\

ProcessID : 4294807965

Threads : 2

Priority : Normal

FileSize : 61 KB

FileVersion : 4,0,0,2

ProductVersion : 4,0,0,27

Copyright : Copyright

CompanyName : Inverse Network Technology

FileDescription : ARMon32

InternalName : ARMon32

OriginalFilename : ARMon32.exe

ProductName : Inverse IP InSight

Created on : 5/18/99 2:19:33 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 3/17/99 11:23:48 PM

 

#:12 [reminder.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\

ProcessID : 4294826429

Threads : 1

Priority : Normal

FileSize : 35 KB

FileVersion : 7.00.0724

ProductVersion : 7.00.0724

Copyright : Copyright © Microsoft Corp. 1990-1998. All rights reserved.

CompanyName : Microsoft Corporation

FileDescription : Microsoft Money Reminder

InternalName : REMINDER

OriginalFilename : REMINDER.EXE

ProductName : Microsoft Money

Created on : 7/25/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 7/25/98 4:00:00 AM

 

#:13 [cwd3dsnd.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294706365

Threads : 1

Priority : Normal

FileSize : 202 KB

FileVersion : 4.05.2720

ProductVersion : 4.05.2720

Copyright : Copyright

CompanyName : Crystal Semiconductor, Inc.

FileDescription : Crystal 3D Audio Control

InternalName : CWD3DSND

OriginalFilename : CWD3DSND.EXE

ProductName : Crystal Ware Windows Audio Drivers

Created on : 9/30/98 5:31:02 PM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 4/1/98 4:27:20 AM

 

#:14 [findfast.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\

ProcessID : 4294734857

Threads : 2

Priority : Normal

FileSize : 108 KB

Copyright :

 

Created on : 8/19/97 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/19/97 4:00:00 AM

 

#:15 [osa.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\

ProcessID : 4294724589

Threads : 1

Priority : Normal

FileSize : 50 KB

Created on : 8/19/97 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/19/97 4:00:00 AM

 

#:16 [wkcalrem.exe]

FilePath : C:\PROGRAM FILES\MSWORKS\CALENDAR\

ProcessID : 4294748897

Threads : 2

Priority : Normal

FileSize : 66 KB

FileVersion : 1,0,1,1921

ProductVersion : 1,0,1,1921

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Works Calendar Advise/Reminder Server

InternalName : Advise Server

OriginalFilename : WKCALREM.EXE

ProductName : Microsoft Works

Created on : 7/21/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 7/21/98 4:00:00 AM

 

#:17 [mhprmind.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\

ProcessID : 4294745285

Threads : 1

Priority : Normal

FileSize : 40 KB

FileVersion : 3, 0, 1, 2006

ProductVersion : 3, 0, 0, 0

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Graphics Studio Home Publishing & Greetings

InternalName : Microsoft Graphics Studio Home Publishing & Greetings

OriginalFilename : MHPRMNDD.EXE

ProductName : Microsoft Graphics Studio Home Publishing & Greetings

Created on : 8/13/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/13/98 4:00:00 AM

 

#:18 [remind32.exe]

FilePath : C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\

ProcessID : 4294738249

Threads : 1

Priority : Normal

FileSize : 66 KB

Copyright : : Microsoft Corporation

FileDescription : Microsoft Graphics Studio Home Publishing & Greetings

InternalName : Microsoft Graphics Studio Home Publishing & Greetings

OriginalFilename : MHPRMNDD.EXE

ProductName : Microsoft Graphics Studio Home Publishing & Greetings

Created on : 8/13/98 4:00:00 AM

Last accessed : 7/6/04 4:00:00 AM

Last modified : 8/13/98 4:00:00 AM

Share this post


Link to post
Share on other sites

oh, I'm not very good at adaware logs!! What I meant was, boot into safe mode and run adaware and let it fix what it finds.

 

Then reboot and post another hijack log.. :cool:

Share this post


Link to post
Share on other sites

Oops. Hijack log coming up:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:50:28 AM, on 7/9/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\NEW FOLDER\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\Windows\aheqt.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\Windows\aheqt.dll/sp.html#37049

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: (no name) - {BDB24C00-14A7-757E-DA3B-70B5402AC77E} - C:\WINDOWS\ATLSI.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

Share this post


Link to post
Share on other sites

I'm back.... been getting some lessons in the back room!! :p

 

Please download About:Buster and unzip it to your desktop.

 

Then boot into safe mode, Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

But before you do, whilst still in safe mode, run adaware again and let it fix what it finds.

 

Then reboot and post the logs.

Share this post


Link to post
Share on other sites

Nellie: When I tried opening AboutBusters in Safe mode, I got an error message

 

Component "MsComCtl.ocx" or one of its dependencies not correctly registered. A file is missing or invalid.

 

Is there another file I need to download? Is this just not my day?

Share this post


Link to post
Share on other sites

Dave... forget what I said in my last post... you already did the visual basic thing!! Sorry. :whistle:

 

I've gotten some advice from the developer of About:Buster (thanks RubbeR DuckY :wub: )

 

You need to download and run this

Share this post


Link to post
Share on other sites

Thanks, Nellie (and Rubber Ducky!). I was able to run AboutBusters with the help of the missingfile download.

I'm facing a bit of a catch-22 posting the log, though. When I boot out of Safe mode to go back on line, I lose the file from my copy&paste function. I tried running AboutBusters in regular mode, but it wouldn't give me a log.

However, here's the HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:56:36 PM, on 7/12/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\HP INSTANT SUPPORT\COMMON\MOTIVEDIRECTORY.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\NEW FOLDER (2)\HIJACKTHIS.EXE

 

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O2 - BHO: (no name) - {BDB24C00-14A7-757E-DA3B-70B5402AC77E} - C:\WINDOWS\ATLSI.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

Share this post


Link to post
Share on other sites

It looks like we are almost there now,

 

Bring up Task Manager and end this process

 

C:\WINDOWS\SYSTEM\APPJK32.EXE

 

Then have hijackthis fix the following

 

O2 - BHO: (no name) - {BDB24C00-14A7-757E-DA3B-70B5402AC77E} - C:\WINDOWS\ATLSI.DLL (file missing)

 

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

 

Boot into safe mode again and delete this file

 

C:\WINDOWS\SYSTEM\APPJK32.EXE

 

Then reboot and post me a fresh log.... oh and hijackthis has been updated to version 1.98.0 You can update yours by clicking on config > misc tools> check for update online.

Share this post


Link to post
Share on other sites

Umm, Nellie. :oops: How do I bring up Task Manager? I realize this is a dumb question but I really can't find it anywhere. Did it have a different name with Windows 98?

Share this post


Link to post
Share on other sites

Sorry Dave, I should have said.... if you press Ctrl - Alt - Del together it should bring up the task manager.... :cool:

Share this post


Link to post
Share on other sites

I tried Task Manager and it doesn't have a process that looks anything like APPJK32.exe. Can't find the file anywhere in Windows either.

Can you help?

And thanks again, nellie--you've been incredibly patient with my cyber-ineptness. :)

Share this post


Link to post
Share on other sites

Dave.... when we get married I will just have to sort you out!! :D:D:D

 

Task manager in W98 is a bit basic, please don't worry about it.

 

Boot into safe mode then and have hijackthis fix the following

 

O2 - BHO: (no name) - {BDB24C00-14A7-757E-DA3B-70B5402AC77E} - C:\WINDOWS\ATLSI.DLL (file missing)

 

O4 - HKLM\..\RunServices: [APPJK32.EXE] C:\WINDOWS\SYSTEM\APPJK32.EXE

 

Go to start > search and do a search for APPJK32.EXE If you can find it then delete it, if not.... well... post me another hijack log and lets see if it is still there. :whistle:

Share this post


Link to post
Share on other sites

Aw, gee Nellie, I didn't realize my prose style was so appealing! :wub:

 

Anyway I ran HijackThis and neither of the files you told me to fix were in there. This seems too good to be true--can it be that the problem's fixed?? :bounce:

 

Take a peek at the log:

Logfile of HijackThis v1.97.7

Scan saved at 10:07:29 PM, on 7/19/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATICWD32.EXE

C:\WINDOWS\SYSTEM\ATITASK.EXE

C:\PROGRAM FILES\EARTHLINK\FASTLANE\ARMON32.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE

C:\WINDOWS\CWD3DSND.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE

C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE

C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE

C:\PROGRAM FILES\HP DESKJET 690C SERIES\EREG\REMIND32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\HP INSTANT SUPPORT\COMMON\MOTIVEDIRECTORY.EXE

C:\NEW FOLDER (2)\HIJACKTHIS.EXE

 

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiKey] Atitask.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AccessRampMonitor] "C:\Program Files\EarthLink\FastLane\ARMon32.exe"

O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE

O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\Run: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrtcl.exe

O4 - HKLM\..\Run: [hpinstantsupport] "c:\program files\hp instant support\bin\matcliwrapper.exe" "c:\program files\hp instant support\" -boot

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE

O4 - HKLM\..\RunServices: [mgavrtclexe] C:\Windows\MCBin\AV\Rt\mgavrte.exe

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://cbop.lifepics.com/common/UserUpload/xupload.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8006.8169907407

Share this post


Link to post
Share on other sites

Well Dave I've peeked and you look as clean as a whistle!! :bounce:

 

Have a look at this article by Tony Klein, it contains some useful information and some download links.

 

If the problem does come back.... and it might, :( Just post to this thread.. It's been nice working with you. ;)

Share this post


Link to post
Share on other sites

It looks like the only problem is that I can't change my homepage from the default, but I can live with that. :cool:

 

I just wanted to say Thanks and Thanks again to you for all the patience and help you've shown me.

You and all your friends are on my Good List forever. :wave:

Share this post


Link to post
Share on other sites

Dave all is not lost.... you can set your home page to where ever you wish.

 

I take it that at the moment, when you go to Tools > Internet Options the option for setting your home page is greyed out.

 

Open up Spybot Search and Destroy in Advanced mode, click on tools>IE tweaks and see if the option to lock your IE start page is ticked. If it is then untick it for now, change your home page and then retick it if you want it to stay locked. :)

Share this post


Link to post
Share on other sites

*sigh, the end of a beautiful relationship... keep safe whilst on the net Dave and although I will miss talking to you I am glad your problems are resolved at last!! :wave:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0