Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please take a peek [RESOLVED]


  • This topic is locked This topic is locked

#1
boomercj

boomercj

    Member

  • Member
  • PipPipPip
  • 122 posts
I don't really have a problem - that I know of. But you folks find things that like to hide. I'm posting my HJT log, and ewido scan log. I have AVG scanning every night and it hasn't reported any problems. I guess I'm just paranoid. I read all of the problems that everyone is having, so I'm wondering if some nasty has taken up residence in this computer.

Edit----
By the way, this is not the same computer from my winfixer.exe post (last week) which was and remains wonderfully fixed.


Logfile of HijackThis v1.99.1
Scan saved at 12:21:40 PM, on 8/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\WUSB54AG.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\QBOOKSW\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [MyCA] C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: TruePass EPF 7,0,0,478 - https://pki.revenue....sapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: WUSB54AG - Unknown owner - C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\WLService.exe" "WUSB54AG.exe (file missing)




ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:15:58 PM 8/25/2006

+ Scan result:



C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).


::Report end

Edited by boomercj, 25 August 2006 - 01:43 PM.

  • 0

Advertisements


#2
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello again boomercj...welcome back!

I am glad the other computer is still doing well!

I do not see much in that HJT log of a 'bad' nature, the Ewido scan is clean other than 'cookies'.

There are two O9 entries in the HJT log associated with Alexa (probably the toolbar) which would be an optional fix...some consider it spyware, but others find it useful. If you want to read more about Alexa you can go here: http://www.imilly.com/alexa.htm and here: http://www.felgall.com/brsie9.htm. Alternatively, you could just Google 'Alexa and spyware' and see the gamut of opinions. The choice ot keep it or get rid of it is up to you..

You also may have Weatherbug installed which most would consider adware and recommend removal..but it's certainly not malicious. There are adware-free alternatives such as WeatherPulse (which I use) and can be found here: Weather Pulse.

If you want to remove these things I mentioned, you can do the following instructions. If you want to keep both of these programs then ignore them:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?



Now close all windows other than HiJackThis, then click Fix Checked.

Go to control panel>>Add or Remove Programs and remove Weatherbug (If present).

Then you would need to find and delete this file using Windows Explorer:

C:\WINNT\web\related.htm

Other than that, I'd say you're 'good to go'....
  • 0

#3
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
My hero has returned! I'm surprised you didn't tell me to "stand on my head in a corner and cluck like a chicken" :blink:

I did have WeatherBug on the computer a long time ago, but I uninstalled it ages ago. I just looked up the alexa website today to see the web browser traffic stats. It appears that Firefox is giving IE6 a run for their money - but that's a whole other issue.

What I had forgot to mention, if it really matters, is that these computers at the office are running both Windows98 and Windows 2000 Professional. We're keeping 98 because we have software we need to use occasionally which runs on 98 but not 2000. But they are both on the same drive. So what I'm doing here fixes the computer no matter which operating system is being used?

Once again, thank you. You are amazing :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 4:10:12 PM, on 8/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\WUSB54AG.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\QBOOKSW\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINNT\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [MyCA] C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office2000\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: TruePass EPF 7,0,0,478 - https://pki.revenue....sapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: WUSB54AG - Unknown owner - C:\Program Files\Linksys Wireless AG USB Wireless Network Monitor\WLService.exe" "WUSB54AG.exe (file missing)
  • 0

#4
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts

My hero has returned! I'm surprised you didn't tell me to "stand on my head in a corner and cluck like a chicken" :blink:


LOL... :help:

What I had forgot to mention, if it really matters, is that these computers at the office are running both Windows98 and Windows 2000 Professional. We're keeping 98 because we have software we need to use occasionally which runs on 98 but not 2000. But they are both on the same drive. So what I'm doing here fixes the computer no matter which operating system is being used?


I take it that you then have each OS on a separate partition of the same drive? I'm not a particularly knowledgeable guy when it comes to system design, 'partitioning' or running multiple OS's per se. If you want you can check a HJT log after booting into each OS (you have this one from Windows 2000, you could run HJT from Windows98 too and post it here). I'm not sure that is necessary (?) but if the HD is partitioned checking a HJT log in each partition might make some sense. Do you use the Win98 OS only to run some older programs (offline) or to access the internet also?

Once again, thank you. You are amazing :whistling:



Thank you for your kind words...you are very welcome.

That last HJT log appears clean...good work! Sorry I'm not more definitive or helpful on the multiple OS question...
  • 0

#5
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
We run older programs on 98. Never go online with it. Both machines seem to be running fine now, so next week I'll do the HJT log on both machines while in 98. I haven't even tried a HJT log or scans on the main computer. I'm sure fixing that one will be a two or three day task and that machine can afford to be tied up that long.

I still have to run logs on my home desktop and laptop. I know those are going to be quite scary.

Thanks again. It's always a good thing when someone appreciates my humor.


Edit ----

Did you want me to post the HJT logs from Windows 98 on this thread or start a new one?

Edited by boomercj, 25 August 2006 - 03:56 PM.

  • 0

#6
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
No problem...

I'll keep this thread open for the Windows98 logs if you'd like since I've worked on both of those machines already....let me know.

Otherwise we can close this thread and you can open new ones if you choose.

For the 'new' computers to avoid confusion it would probably be better to open a new thread for each.

Have a nice weekend...
  • 0

#7
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Good Morning,

This is the HJT log from the 98 OS on the computer that I use - the most recent one that you worked on. I will run a HJT log from my coworkers computer tomorrow because he won't be in and the computer will be available.

I guess the drive is partitioned. I thought the partitions would need two different drive letters. What do I know? Anyway, when working with the 2000 OS, I try to keep the recyle bin empty. I noticed when I booted up on the 98 OS there were 100+ items in the recycle bin, so apparently each system has it's own set of files even tho they are on the same drive. This is making my head hurt! No wonder I don't have any space on the hard drive! Everything is duplicated!!

Logfile of HijackThis v1.99.1
Scan saved at 8:31:25 AM, on 8/28/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DRMON\SMARTAGT\SMARTAGT.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\FPPDIS1A.EXE
C:\WINDOWS\SYSTEM\ATXBKPSCHEDULER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\QBOOKSW\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1040.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usefulware.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\SYSTEM\fppdis1a.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [Backup Scheduler] C:\WINDOWS\SYSTEM\ATXBKPScheduler.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2002.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.usefulware.com/
  • 0

#8
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hey boomercj....hope you had a great weekend! Thanks for making me try and remember the correct HJT entries on '98! I do not see any AV program on this 'partiton', but I'm not sure that's necessary if you do not go on line with it (and I'm not sure if running two AV's on different partitions is wise...but I bet that the experts in the Windows forum here at G2G would know). Remember, MS is no longer supporting Win98 (with security updates and patches etc.) so if becomes infected/unstable etc. you may not be able to fix it!

Nothing particularly sinister in that log that I see except some minor adlware:

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usefulware.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.usefulware.com/


Now close all windows other than HiJackThis, then click Fix Checked.

2. Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\web\related.htm


After that, Reboot the computer.

3. A lot of the newer 'automated cleaners' will not run on Windows98....but Ad-aware will. If you want, you can do the following...your choice:

Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
That should do it...if you do the Ad-aware scans and/or have any questions or issues, let me know .....
  • 0

#9
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
Thanks. I will work on it when I get to work tomorrow morning. Will it be ok if I post the Windows 98 HJT log from the first computer we worked on?
  • 0

#10
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Yeah, that would be fine....do me a favor though and label it as such so I don't get confused... :whistling:
  • 0

Advertisements


#11
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
OK, thank you. I wouldn't work on it until I'm done with the computer I use anyway. I mean, really... I'm the one concerned enough to make sure the computers are virus free, I should have first dibs!!
  • 0

#12
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
:whistling:
  • 0

#13
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
[color=#3366FF]Good Morning again.

I followed your instructions for the Windows 98 partition of my office computer. I ran the Ad-Adware scan. It found 17 objects and I assume destroyed them. I posted a question about needing an AV on both OS. Found out that it is not necessary.

And now for the first computer you cleaned. This is my coworkers computer. When Windows 98 was the only OS on this computer, it was used to go online quite a bit. I ran a HJT log.

This is the first computer we worked on last week.
Logfile of HijackThis v1.99.1
Scan saved at 10:12:48 AM, on 8/29/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\COMSMD.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSCHED.EXE
C:\VOYETRA\AS2\VTRAY.EXE
C:\WINDOWS\SYSTEM\FPPDIS1A.EXE
C:\PROWIN99\32BIT\TASKSCH.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\QBOOKSW\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\QBOOKSBASIC\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1040.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -on
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [VSchedule] C:\Program Files\Network Associates\McAfee VirusScan\VSCHED.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [Tracker] C:\ProVenture\Billing Solution\tracker.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\VOYETRA\AS2\VTRAY.EXE /s
O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\SYSTEM\fppdis1a.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TaskScheduler] C:\PROWIN99\32BIT\TASKSCH.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\MSOFFICE\OFFICE\FINDFAST.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2001.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\QBOOKSBasic\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
  • 0

#14
cfa-ddg2

cfa-ddg2

    Visiting Staff

  • Visiting Consultant
  • 963 posts
Hello boomercj...

Nothing particularly malicious here either. You can fix the below with HJT, delete the C:\WINDOWS\web\related.htm file and then scan with ad-aware like with the other machine:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Hope this helps...let me know if you have any other questions. If not, we'll close this thread...

Edited by cfa-ddg2, 29 August 2006 - 08:12 PM.

  • 0

#15
boomercj

boomercj

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 122 posts
I can't thank you enough. At least two of the computers in this office are healthy now. Thank you for your patience. I love this forum! Best of luck to you and yours!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP