Jump to content


Photo

Please help with ME machine.


  • This topic is locked This topic is locked
26 replies to this topic

#1 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 March 2007 - 08:34 PM

New to this forum.
Any help would be greatly appreciated.


Here are my symptoms:
Statemgr has caused and error and will shut down. Occurs almost every boot up
Web browsers google or yahoo using ie, links will take me to random sites. Not just one site in particular
Wlancnfg5 has caused an error and will shut down. Happens randomly
Microsoft office 2000 very slow to open, word will open eventually, but excel will not open. Path not found.
Windows me
Ran spybot, avg, wise registry cleaner, adaware-se.

Hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 3:29:55 AM, on 3/11/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALTEC LANSING\AMS\ALSERV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWINDER GDP.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\PROGRAM FILES\NETGEAR\WG311T\WLANCFG5.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [ALServ] C:\Program Files\Altec Lansing\AMS\ALServ.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Atheros Configuration Service] C:\WINDOWS\SYSTEM\acs.exe -h
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: j2 Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.108,85.255.112.131


Thanks in advance.

#2 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 12 March 2007 - 07:30 PM

Is there anywhere that lists processes that SHOULD be running on windows ME OS?

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 14 March 2007 - 05:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 15 March 2007 - 07:39 AM

Hi and welcome

I see that you have two Anti-Virus (Avast! and AVG FREE ) programs installed on your system. Having more than one AV installed will likely cause your system to run slowly and/or become unstable as well as seriously decrease the reliable detection of any malware since the two AV's will likely "compete" against each other.
You can keep both programs, but you must disable the real-time component of one AV, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.
The alternative is to uninstall one AV and keep the other.

You make the call and if you need help uninstalling one please let me know.


Please print out these instructions or save to note pad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.


Open HJT and click scan only, place a check by these entries

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.108,85.255.112.131

Close all open windows and browsers except HJT and click fix checked


Please download FixwareOut from one of the following sites:
http://www.bleepingc.../Fixwareout.exe
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall or antivirus gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

NOTE: If you have Internet connection problems, Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.


Sometimes a bad DNS entry is cached
To get rid of it, go to Start > Run, and in the Open area type in: cmd
At the command prompt, copy/paste the following:

ipconfig /flushdns

Type: Exit to go out of the command prompt.



Please download ATF Cleaner by Atribune to desktop.
http://www.atribune..../click.php?id=1



Download AVG Anti-Spyware 7.5 from Here
And save that file to your desktop.
  • Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.
  • On the main screen select the icon "Update then select the"Update Now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"
*Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close AVG Anti-Spyware 7.5, Do not run a scan yet.


Reboot your computer into Safe Mode. Tap the F8 key just before Windows starts to load and select Safe Mode from the menu.



Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:
  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.


I see no evidence of a Firewall.

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.
If you decide to download and install another Firewall....please disable Windows Firewall.
Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.
Sygate free firewall
ZoneAlarm free firewall
Outpost free Firewall
Comodo
Kerio Personal Firewall
Jetico Personal Firewall

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.
For a tutorial on Firewalls and a listing of some available ones see the link below
http://www.bleepingc...tutorial60.html



In your next reply I need:
FixWareOut (report.txt)
New HJT log
AVG A/S log

Comments on how the computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 March 2007 - 08:08 PM

Thank you for your help. I will be working on it. I will post my results.

#6 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 26 March 2007 - 04:58 AM

Thanks for the help.

I ran fixwareout but I couldn't copy any report as it went through its process in an instant and closed. Is there something I’m doing incorrectly?
I cannot install avg antispyware 7.5. message pops up “sorry avg antispyware 7.5 needs windows 2000 and above to be installed”
I skipped avg and continued on to atf cleaner. I was unable to enter safe mode by tapping f8, I was however able to get there by holding the ctrl key. This got me to safe mode, but my mouse would not function. Some fancy keystrokes though and I got through it.
So far, my excel documents are working again, and IE no longer takes me wherever it wants to.
I do have a couple other things going on and they are typically during boot up, I get a message “statemgr has caused an error in KRNL 386.exe statemgr will now close” happens frequently and “wlancfg5 has caused and error in KRNEL 32.dll, wlancfg5 will now close” any suggestions?





Logfile of HijackThis v1.99.1
Scan saved at 2:18:30 PM, on 3/19/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALTEC LANSING\AMS\ALSERV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWINDER GDP.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\PROGRAM FILES\NETGEAR\WG311T\WLANCFG5.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [ALServ] C:\Program Files\Altec Lansing\AMS\ALServ.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Atheros Configuration Service] C:\WINDOWS\SYSTEM\acs.exe -h
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: j2 Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab55579.cab

Edited by Quattrocs, 26 March 2007 - 05:00 AM.


#7 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 26 March 2007 - 09:01 AM

Welcome back

I ran fixwareout but I couldn't copy any report as it went through its process in an instant and closed. Is there something I’m doing incorrectly?

We'll try to run that again after a few troubleshooting tips.

I do have a couple other things going on and they are typically during boot up, I get a message “statemgr has caused an error in KRNL 386.exe statemgr will now close” happens frequently and “wlancfg5 has caused and error in KRNEL 32.dll, wlancfg5 will now close” any suggestions?


clean boot your computer
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. On the General tab, click Selective startup.
3. Click to clear all of the check boxes under Selective startup.
4. On the Startup tab, click to select the *StateMgr check box.
5. Click OK.

When you are prompted to restart your computer, click Yes.


do a disk cleanup to clear the browser cache and other unnecessary files.

Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin


To run Check Disk
1. Open My Computer and right-click on Local Disk (C:)
2. Select "Properties" and click on the "Tools" Tab
3. Under Error-checking, click on the button that says "Check Now..."
4. Under Check Disk Options, check "Automatically fix file system errors" and "Scan for and attempt recovery of bad sectors


Errors in krnl386.exe are memory management errors usually caused by conflicting applications.

Errors pointing to wlancfg5 are related to NETGEAR WG311v2 Adapter\wlancfg5.exe
Reinstall your drivers for your network card


Start-->Settings-->Control Panel-->System-->Device Manager

See if you can access the Device Manager and see if there are Yellow exclamations points ! or Red exclamation points ! by any of your drivers listed there.


Read this link that may give some insight to issues familiar to this one
http://forums1.itrc....831551 28353475



Do a PIT test, and posted the results we could see several things that would help in a diagnosis
You can run a test at PCPitStop. Please register (it's free) with PCPitStop and run the full tests http://www.pcpitstop...top/default.asp
This is an excellent diagnostics scan that may help in determining problems not related to malware. When the tests are complete, a results page will pop up. Click "Share these results with TechExpress" on the left-hand side. Then copy the URL provided and post it here for me to review.


I would still like for you to run another scan....I'm not sure if this will work with Windows ME


Download and scan with the free 15 day trial of Counterspy
Or alternate location found Here

Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.
Or Follow this tutorial on the installation/setup/scanning and cleaning of any infections found: Here



Let's try to run FixWareout again

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt


NOTE:If you have Internet connection problems, Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.
Sometimes a bad DNS entry is cached
To get rid of it, go to Start > Run, and in the Open area type in: cmd

At the command prompt, copy/paste the following:

ipconfig /flushdns

Type: Exit to go out of the command prompt.


In your next reply I need:
PIT test
Counterspy log
C:\fixwareout\report.txt
New HJT log

Comments on how the computer is running now.


Also, please do not post for help at other forums, this takes up valueable time offered by volunteers.
If you want to continue here at SWI, please have this thread closed.
http://boards.cexx.o...=15891.msg65369
Or let me know and we can ask TeMerc to continue with the post at the other forum.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 27 March 2007 - 05:02 PM

Also, please do not post for help at other forums, this takes up valueable time offered by volunteers.
If you want to continue here at SWI, please have this thread closed.
http://boards.cexx.o...=15891.msg65369
Or let me know and we can ask TeMerc to continue with the post at the other forum.



oops.


I did not have permission to remove it so I requested a MOD delete it. Sorry

#9 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 27 March 2007 - 07:11 PM

Welcome back

Sorry I'm a bit confused...you will continue here?
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 27 March 2007 - 11:18 PM

Welcome back

Sorry I'm a bit confused...you will continue here?

Yes please!

I requested the thread be deleted from cexx.

#11 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 28 March 2007 - 06:38 AM

Ok thank you, please continue with instructions.

In your next reply I need:
PIT test
Counterspy log
C:\fixwareout\report.txt
New HJT log

Comments on how the computer is running now.


Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 29 March 2007 - 03:39 AM

Hello Juliet, first off I did as you suggested and did a clean boot, disk cleanup and ran check disk. The only thing I didn’t see a box to check is “scan for and attempt recovery of bad sectors”. After scan disk had run, it had found and repaired several bad clusters. I have not reinstalled my network drivers yet, I did check out the link you sent me, but I have not dug deep into this one yet. The site did however mention the krnl386.exe problem could stem from incompletely uninstalled programs, which reminded me that I have real player and windows media player, both of which I have attempted to uninstall in the past but there are still remnants of both. I don’t know if this is the place to resolve those issues. I checked my device manager and found NO conflicting devices

I did a pit test, here’s the URL I copied, I hope it gets you there. I have not applied any of their suggestions yet.

http://www.pcpitstop...ess/default.asp

I tried to run counterspy, but it will not work with ME.

I ran fixwareout again and here’s a copy of the text I got. I hope it is what you were looking for.

Fixwareout Last edited 2/11/2007
Post this report in the forums please

Random Runs removed from HKLM


We recommend getting a free online scan
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/v.../virusscan.aspx

Hosts file was reset, If you use a custom hosts file please replace it.

My system still runs like a sloth and is temperamental at best, but it may be the nature of this beast. It may improve after I apply some of the PIT test suggestions, but I wanted you to look at it first.

And last but not least is my updated hijack log. Thanks again!


Logfile of HijackThis v1.99.1
Scan saved at 6:47:10 AM, on 3/27/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALTEC LANSING\AMS\ALSERV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWINDER GDP.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\PROGRAM FILES\NETGEAR\WG311T\WLANCFG5.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [ALServ] C:\Program Files\Altec Lansing\AMS\ALServ.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Atheros Configuration Service] C:\WINDOWS\SYSTEM\acs.exe -h
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: j2 Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB

#13 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 29 March 2007 - 06:35 AM

Welcome back

Your Tech Express link didn't work, you can try that again.

Please look for C:\fixwareout\report.txt to see if a more complete report is found there.


You do have a few items in your startups list that can be disabled. The following are not malware, but fixing them with HijackThis will improve your system's speed. None are necessary at startup, and may be started manually at any time. This is up to you.

Open HJT and click scan only, place a check by these entries


O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
(This is a valid program but it is not required to run on startup.It is advised that you disable this program so that it does not take up necessary resources. This is a "scheduler" and does not turn off PC Health)

O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.System Tray application for Aureal Vortex based soundcards. Can be run manually via Start -> Settings -> Control Panel)

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. DirectCD primarily allows you to drag and drop files onto a suitably formatted CD-RW disc. Unless you use this on a frequent basis it isn't required and is available via Start -> Programs. Start the program before inserting a DirectCD formatted CD-RW in the drive. A re-boot is recommended if you close Adaptec DirectCD before re-opening it again later)

O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. A program that runs in your task bar and receives alerts and release information on MySoftware products.)

O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
(It is advised that you disable this program so that it does not take up necessary resources. Supposed to keep an Epson printer ready for quick printing. Users report little difference whether it is on or not)

O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
(Is used for gaming devices such as joysticks, disabling this will not stop the devices but free up a small amount of resources.)

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required.)

Close all open windows and browsers except HJT and click fix checked.

Let's try another scanner to see if it can find anything malicious.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

If this doesn't run on ME, let's try this one

Next go Here to run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button.
Enter your State/Providence
Enter your E-mail address and click send.
Select either Home user or Company.
Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When the download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).
Post the contents of the ActiveScan report


In your next reply I need:
Scan logs
New HJT log

Comments on how the system is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#14 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 05 April 2007 - 08:10 PM

Sorry about that, hope this one gets you to my pit test

http://www.pcpitstop...FY0FWDDHJWSH6RJ

here are a couple dr. web cureit logs. I ran it twice (in safe mode) a couple days apart as the first run stated that it had been interrupted by the user, although I did not touch anything while it was running. This is what I got my first time.

owsgv.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Incurable.Moved.;
dmtze.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.18512;Incurable.Moved.;

Here’s the second run, it also told me that it had been interrupted by the user, after it was done. I also wanted to mention, for anyone else that might be reading this, that I cannot get to safe mode by tapping f8. the only way I’ve found, is by holding the ctrl key while booting up. I read that on another forum. Once I was in safe mode, my mouse would not work. I was using a usb mouse. I plugged in a ps2 mouse, and it worked fine. I don’t know if it is specific to this machine, or if that’s just the way it is.


A0081334.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange;Incurable.Will be moved after reboot.;
A0081337.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.18512;Incurable.Will be moved after reboot.;


I ran fixwareout again, but still this is the only report I get.

Fixwareout Last edited 2/11/2007
Post this report in the forums please

Random Runs removed from HKLM

We recommend getting a free online scan
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/v.../virusscan.aspx

Hosts file was reset, If you use a custom hosts file please replace it.


I have opted not to fix any of the things you suggested with HT at the moment. Unless you decide to strongly urge me to do so. In that case I will. Here is my latest log. And thanks again

Logfile of HijackThis v1.99.1
Scan saved at 11:24:58 AM, on 4/4/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALTEC LANSING\AMS\ALSERV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVICES\SIDEWINDER GDP.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
C:\PROGRAM FILES\NETGEAR\WG311T\WLANCFG5.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3
O4 - HKLM\..\Run: [ALServ] C:\Program Files\Altec Lansing\AMS\ALServ.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Atheros Configuration Service] C:\WINDOWS\SYSTEM\acs.exe -h
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: SideWinder Game Device Profiler.lnk = C:\Program Files\Microsoft Hardware\Game Devices\SideWinder GDP.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: j2 Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB

#15 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 06 April 2007 - 06:10 AM

Welcome back

I have opted not to fix any of the things you suggested with HT at the moment. Unless you decide to strongly urge me to do so.

That is totally your choice but, I think if you tried it you would see a difference in performance especially since your running 256MB RAM, that cannot carry a heavy load.
In time you may opt to increase memory because your Pit test shows Available RAM slots 2.

Search for and delete these files in bold (DrWeb may have took these out but I want to make sure.)
C:\WINDOWS\SYSTEM\owsgv.exe
C:\WINDOWS\SYSTEM\dmtze.exe

If you have trouble finding any of those files/folders, then configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done).

To enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked.


Were you able to run the Panda scan?


A few things about your Pit test

Your current Internet Explorer settings for the Restricted Sites security zone could expose your PC to intrusion.

Start Internet Explorer.
Select Tools | Internet Options from the menu and click the Security tab.
Click the Restricted Sites icon (make sure the Internet, Local Intranet or Trusted Sites icons are not selected), and then click the Custom Level button.
On the list of security items, make sure that every item is set to either "Disable" or "Prompt",
Click OK in the Security Settings box and again in the Internet Options box to save the new settings.
Close ALL browser windows, then open a new window so that the new settings can take effect


Adjust Browser Cache Size

Start Internet Explorer Select Tools
| Internet Options | General Under Temporary Internet Files click the Settings button. In the box for the amount of disk space to use, enter a value between 10 and 100 megabytes. Click OK to accept the changes.


Junk files 605 MB (6%) <--terrible high
Defragment after you clean out Temp files

Clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Then use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

How to use CleanUp!
by Steven R. Gould
I use this Temp and junk cleaner myself and it does a good job.

TIPS FOR WIN ME http://www.microsoft...ips/default.asp
MAKE WIN ME RUN BETTER
http://www.informati...A...3483&pgno=1


Your Pit test shows these items can be safely disabled from your startups folder as well

Roxio Direct CD Adaptec C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
eFax eFax.com C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
hottray.exe eFax.com C:\PROGRAM FILES\COMMON FILES\EFAX\HOTTRAY.EXE
NewsFlsh.exe MySoftware, Inc. C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.EXE
Smart Configuration Module C:\PROGRAM FILES\NETGEAR\WG311T\WLANCFG5.EXE
Still Image Monitor Microsoft Corporation C:\WINDOWS\SYSTEM\STIMON.EXE
GDP.exe C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME DEVI ... \SIDEWINDER GDP.EXE


Please post back and let me know what issues remain
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#16 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 16 April 2007 - 06:22 AM

Glad we could help. :)

Since this issue appears resolved ... this Topic is closed.

[Reopened]
Everyone else please begin a New Topic.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#17 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 19 April 2007 - 06:18 PM

Reopened at request of topic owner.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#18 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 20 April 2007 - 01:02 AM

Reopened at request of topic owner.

Thanks

#19 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 20 April 2007 - 01:03 AM

Sorry about that. I had a few mor questions.

I searched for owsgv.exe, and dmtze.exe, but found neither.
I was not able to run the panda scan, I couldn’t even get to the website without firefox or IE giving me an error has occurred in GDI.exe
I changed everything in my restricted sites to disable or prompt.
I have adjusted my browser cache size, deleted every temp file as you instructed, and disabled all of the starups suggested by the pit test. So far so good.
There is however one thing that I’ve not noticed before. When I do a search for files or folders, Microsoft office 2000 professional attempts to install. Of course I can’t install, as there is no install disk. After closing the install window, I get the message: “Error 1706 no valid source could be found for Microsoft office 2000 professional the windows installer cannot continue. The file Microsoft office 2000 professional is not a valid installation package for the product Microsoft office 2000 professional”. I don’t appear to be having any other problems with Microsoft office. Any ideas?
Last but not least, can you help me or can you direct me someone that can help me uninstall real player. When I try, it tells me that the uninstall component is missing. I’ve read through many forums about problems uninstalling real player, but none of them has helped me.
Overall, this computer is running much better than it was before you whipped it in to shape. Thanks again.

Are there any other logfiles you want to see?

#20 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 20 April 2007 - 05:51 AM

Welcome back

[*]Open HiJackThis
[*]Click on "View the list of Backups"
[*]Place a check mark next to..... O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
[*]Click Restore
[*]Click Yes
[*]Reboot your computer


I found a few links that may also be related to this
How to install or repair individual features of Office 2000
How to obtain the latest Office 2000 service pack
Windows Installer CleanUp Utility


How to Repair Internet Explorer 6


We can try this for real player
You'll need to uninstall using the uninstall utility in the the realplayer folder.
Boot into safe mode
go to C:\Program Files\Common Files\Real\Update_OB and run the uninstall from there too. Checking all the boxes are ticked.

Post back and let me know what issues remain

Edited by Juliet, 20 April 2007 - 04:39 PM.

Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#21 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 April 2007 - 08:59 AM

Ok, I checked my list of backup files in hijack this, but O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE….was not there. It does show up in my HT log though. It looks like I will need to find my Microsoft 2000 disk to get anywhere with that.

Repaired my Internet explorer 6 using the link you sent.

And I attempted to uninstall real player in safe mode, but I get the same “uninstaller component missing” message.

So, I’d say if you can help me get that real player off my machine, we’re a done deal, at least for now until I mess up something else.

Thanks, your help is GREATLY appreciated.

#22 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 22 April 2007 - 09:26 AM

Welcome back

One way we can go about this

Search for and delete these files/folders in bold
C:\Program Files\RealPlayer
and any reference to it in--
C:\Program Files\Common\Microsoft Shared\RealPlayer

Do not to delete any \Realtek

The "civilized" way to get rid of that Real Player when Add/Remove or it's native uninstaller fails, is of course ---
Reinstall the same version of RealPlayer from Download - Install
Then Uninstall via Add/Remove........


Give that a try and see if it works out.

Edited by Juliet, 22 April 2007 - 09:28 AM.

Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#23 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 02 May 2007 - 09:39 AM

Hello again, sorry for the delay.
I did not find any real player in the specific paths you suggested, but I did a search and came up with several Real folders with RealPlayer in them with a bunch of other “files” I am unfamiliar with. Do I want to delete these Real folders? I did not find any Realtek files or folders, so wont be in danger of deleting that.
I have deleted several RealPlayer folders, but there are still those located in the Real folders. I was going to try the “civilized” way, but I cannot find what version I have. Where might I find that information?

#24 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 02 May 2007 - 11:10 AM

Welcome back

Read through these two links for troubleshooting tips.

UNINSTALLING REALPLAYER

How do I completely remove RealPlayer from my computer, then reinstall it?
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#25 Quattrocs

Quattrocs

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 08 May 2007 - 11:52 PM

I guess that about does it.

Thank you for all of your help!

#26 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 09 May 2007 - 05:11 AM

Welcome back

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.
Tutorial

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.
Tutorial

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.
Tutorial
Run on a regular basis

Install and Update Ad-Aware SE Personal
You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.
Tutorial
Run on a regular basis

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.
And to run them regularly as this can prevent a great deal of spyware hassle.

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.
Another valueable article to read Dealing with Unwanted Spyware and Parasites
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#27 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 09 May 2007 - 05:17 AM

Glad we could help. :)

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button