[ThunderOcean]

I suspect that I have some MalWare on my PC. I have had problems running my SpyWare Removal Programs. They do not complete and they re-start my PC as though the Reset Button has been pressed.

Ad-Aware SE Personal Build 1.05 - This does not complete. Part way through, my PC re-starts as though the Reset Button has been pressed.

I followed your instructions with the exception of Tweaks > Cleaning Engine > Automatically Try To Unregister Objects Prior To Deletion which is actually Always Try To Unload Modules Before Deletion and Tweaks > Cleaning Engine > During Removal, Unload Explorer And IE If Necessary which is 'Greyed Out' and could not be selected.

CWShredder - This did not detect any CWS Files

SpyBot – Search & Destroy 1.3 - This completed successfully on one occasion and allowed deletion of 4 entries however, like Ad-Aware, it normally does not complete and my PC re-starts as though the Reset Button has been pressed.

AVG Free Edition 7.0.308 - This does not complete. Part way through, my PC re-starts as though the Reset Button has been pressed.

eTrust EZ AntiVirus 7.0.6.7 - This has successfully completed with the Latest Signature Files however, it does not detect any problems.

Trend HouseCall - This does not complete. Part way through, my PC re-starts as though the Reset Button has been pressed.

PandaActiveScan - This does not complete. Part way through, my PC re-starts as though the Reset Button has been pressed. At one stage, this detected Adware SearchAid in Windows Registry before it crashed however, the last time that I ran it (for you), it did not detect this and it had checked Windows Registry.

Trojan Defence Suite 3.2.0 - This does not complete. Part way through, my PC re-starts as though the Reset Button has been pressed.

Windows Updates - All of the Critical Updates are on my PC. I check for them once a week and, if there are any available, I download them.

HijackThis Log (having loaded all items at Start Up)
Logfile of HijackThis v1.99.1
Scan saved at 14:11:42, on 2005-04-22
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MK9805.EXE
C:\WINDOWS\LOADQM.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("RedSailAction.aim.away.autoreply", true);
user_pref("RedSailAction.aim.away.disablesound", false);
user_pref("RedSailAction.aim.buddy.SndPlayFirstIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOff", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOn", true);
user_pref("RedSailAction.aim.chat.AnnounceChatRoom", true);
user_pref("RedSailAction.aim.chat.FlashChatWin", true);
user_pref("RedSailAction.aim.chat.SndPlayIncoming", true);
user_pref("RedSailAction.aim.chat.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.chat.unavailable", false);
user_pref("RedSailAction.aim.general.im.enterCR", false);
user_pref("RedSailAction.aim.general.im.smilies", true);
user_pref("RedSailAction.aim.general.im.tabKey", false);
user_pref("RedSailAction.aim.general.im.timeStamp", false);
user_pref("RedSa
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("RedSailAction.aim.away.autoreply", true);
user_pref("RedSailAction.aim.away.disablesound", false);
user_pref("RedSailAction.aim.buddy.SndPlayFirstIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOff", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOn", true);
user_pref("RedSailAction.aim.chat.AnnounceChatRoom", true);
user_pref("RedSailAction.aim.chat.FlashChatWin", true);
user_pref("RedSailAction.aim.chat.SndPlayIncoming", true);
user_pref("RedSailAction.aim.chat.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.chat.unavailable", false);
user_pref("RedSailAction.aim.general.im.enterCR", false);
user_pref("RedSailAction.aim.general.im.smilies", true);
user_pref("RedSailAction.aim.general.im.tabKey", false);
user_pref("RedSailAction.aim.general.im.timeStamp", false);
user_pref("RedSa
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: DSL Monitor.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...stall/AxCtp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90N - http://freeserve-a3....a/cs4msn090.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...4/heartbeat.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.../diskhealth.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12....ex/HMAtchmt.ocx
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {C52C1623-3D3E-45EE-9581-B7D68EDB0728} (HiperLoader Control) - http://plugin.hiperm...co.uk/hiper.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.246 - http://chat-c3.wanad...va/cfs31246.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-c2.wanad...va/cfs31248.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe

I am at a loss as to how to cure this problem and I would be very grateful for your assistance in trying to do so. I look forward to hearing from you.

ThunderOcean

[Advertisements]

Welcome to GTG.

I'm wondering if your ram/memory could be the problem also. To run some test, try using this program from Microsoft. Run it for about 15 minutes and if no errors show up, you may exit it.

Have you tried renaming your programs and see if they will run completely? For example, try renaming Ad-aware.exe to something like Ad-aware1.exe instead and run that. I know some trojans will go after valid programs and attempt to stop them, so renaming it is a way around this.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[greyknight17]

Welcome to GTG.

I'm wondering if your ram/memory could be the problem also. To run some test, try using this program from Microsoft. Run it for about 15 minutes and if no errors show up, you may exit it.

Have you tried renaming your programs and see if they will run completely? For example, try renaming Ad-aware.exe to something like Ad-aware1.exe instead and run that. I know some trojans will go after valid programs and attempt to stop them, so renaming it is a way around this.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[ThunderOcean]

Thanks for this. I am just off to work. I'll have a go at this later today. I have posted this so that you don't think that I am ignoring your reply.

ThunderOcean

[ThunderOcean]

I ran Windows Memory Diagnostic and it found some errors which I will try to get fixed however, I do not know if these are the cause of my PC re-starting regularly.

I ran Ad-Aware after renaming its Executable File and I got the same result in that it did not complete and my PC re-started.

I ran MicroWorld AntiVirus ToolKit Utility and it did not complete (PC re-started after it had checked 13196 Objects). It failed with "MWAVSCAN caused a general protection fault in module KRNL386.EXE at 0001:0000c4a". I was writing down its Virus Log as it went along in anticipation of this happening. The details were:

File C:\WINDOWS\PTSNOOP.EXE tagged as not-a-virus:FalseAlarm.Symantec.Ptsnoop. No Action taken.

File C:\WINDOWS\dating762.exe tagged as not-a-virus:RiskWare.Downloader.Sniggast. No Action taken.

File C:\WINDOWS\smsdial752.exe tagged as not-a-virus:RiskWate.Dialer.Dateregon. No Action taken.

File C:\WINDOWS\OPTIONS\CABS\PTSNOOP.EXE tagged as not-a-virus::FalseAlarm.Symantec.Ptsnoop. No Action taken.

File C:\WINDOWS\OPTIONS\CABS\WIN98_59.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\PTSNOOP.EXE tagged as not-a-virus:FalseAlarm.Symantec.Ptsnoop. No Action taken. - This seems to be the same as the first item.

I attach an updated HijackThis Log as some things have changed since the original one was taken. I hope that this is OK.

Logfile of HijackThis v1.99.1
Scan saved at 22:50:34, on 2005-04-27
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MK9805.EXE
C:\WINDOWS\LOADQM.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("RedSailAction.aim.away.autoreply", true);
user_pref("RedSailAction.aim.away.disablesound", false);
user_pref("RedSailAction.aim.buddy.SndPlayFirstIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOff", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOn", true);
user_pref("RedSailAction.aim.chat.AnnounceChatRoom", true);
user_pref("RedSailAction.aim.chat.FlashChatWin", true);
user_pref("RedSailAction.aim.chat.SndPlayIncoming", true);
user_pref("RedSailAction.aim.chat.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.chat.unavailable", false);
user_pref("RedSailAction.aim.general.im.enterCR", false);
user_pref("RedSailAction.aim.general.im.smilies", true);
user_pref("RedSailAction.aim.general.im.tabKey", false);
user_pref("RedSailAction.aim.general.im.timeStamp", false);
user_pref("RedSa
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("RedSailAction.aim.away.autoreply", true);
user_pref("RedSailAction.aim.away.disablesound", false);
user_pref("RedSailAction.aim.buddy.SndPlayFirstIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayIncoming", true);
user_pref("RedSailAction.aim.buddy.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOff", true);
user_pref("RedSailAction.aim.buddy.SndPlaySignOn", true);
user_pref("RedSailAction.aim.chat.AnnounceChatRoom", true);
user_pref("RedSailAction.aim.chat.FlashChatWin", true);
user_pref("RedSailAction.aim.chat.SndPlayIncoming", true);
user_pref("RedSailAction.aim.chat.SndPlayOutgoing", true);
user_pref("RedSailAction.aim.chat.unavailable", false);
user_pref("RedSailAction.aim.general.im.enterCR", false);
user_pref("RedSailAction.aim.general.im.smilies", true);
user_pref("RedSailAction.aim.general.im.tabKey", false);
user_pref("RedSailAction.aim.general.im.timeStamp", false);
user_pref("RedSa
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE"
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: DSL Monitor.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/...stall/AxCtp.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90N - http://freeserve-a3....a/cs4msn090.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...4/heartbeat.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.../diskhealth.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12....ex/HMAtchmt.ocx
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.game...ts/y/sdt1_x.cab
O16 - DPF: {C52C1623-3D3E-45EE-9581-B7D68EDB0728} (HiperLoader Control) - http://plugin.hiperm...co.uk/hiper.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.246 - http://chat-c3.wanad...va/cfs31246.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-c2.wanad...va/cfs31248.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe

ThunderOcean

Edited by ThunderOcean, 27 April 2005 - 06:55 PM.

[greyknight17]

The restarts can be caused by a number of things - memory/ram, viruses, software problems, hardware conflicts, etc.

I'm ruling that it's either a memory problem or a virus. Did you install any new software or hardware lately before this restart problem?

Delete these two files and see if it fixes the problem:

C:\WINDOWS\dating762.exe
C:\WINDOWS\smsdial752.exe

So the memory scan did show errors? You might have to replace your memory/ram if that's the case.

[ThunderOcean]

I have just deleted these two files and I have removed them from the Recycle Bin. I will let you know how things go.

In that you have not made any comment about the other items ("File C:\WINDOWS\PTSNOOP.EXE tagged as not-a-virus:FalseAlarm.Symantec.Ptsnoop. No Action taken.", "File C:\WINDOWS\OPTIONS\CABS\PTSNOOP.EXE tagged as not-a-virus::FalseAlarm.Symantec.Ptsnoop. No Action taken.", "File C:\WINDOWS\OPTIONS\CABS\WIN98_59.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken." and "File C:\WINDOWS\PTSNOOP.EXE tagged as not-a-virus:FalseAlarm.Symantec.Ptsnoop. No Action taken. - This seems to be the same as the first item."), am I correct in assuming that they are not a problem? The one associated with "Tool.Win32.Reboot" worries me. Is this causing the problem?

Prior to all of this (which started about 2 weeks ago), I installed Tiscali Broadband including a Sagem USB Modem and I downloaded ZoneAlarm (Freeware Version). In addition to this, I upgraded eTrust EZ AntiVirus, RealPlayer, MSN Messenger and WinAmp. Once the problem occurred, I installed AVG AntiVirus, CWShredder, HijackThis, SpyBot - Search & Destroy and Trojan Defence Suite in an attempt to identify/resolve this matter.

ThunderOcean

Edited by ThunderOcean, 28 April 2005 - 10:41 AM.

[greyknight17]

I wouldn't worry about those Tool.Win32.Reboot entries. I think it's for your modem.

No problem. Post an update to this problem - whether it got better or worse (stayed the same?).

[ThunderOcean]

Having deleted the two files, I still have the same problem. I still get random re-starts and I am unable to complete Ad-Aware, SpyBot or MicroWorld AntiVirus ToolKit Utility.

As far as I can tell, the situation is still the same (no better, no worse).

ThunderOcean

[greyknight17]

OK, I have to take into consideration that this might be something else unrelated to spyware/viruses.

1. Go here and get that Microsoft tool. Install it on a floppy and restart your computer. Boot from the floppy and run the scan for about 15 minutes to see if any errors show up. If none, exit and take out floppy. If something does show up, it means there's a faulty in the ram/memory.

2. Right click on My Computer->Properties->Device Manager and see if there are any conflicts (you can tell if they have an exclamation mark or any other suspicious signs).

[ThunderOcean]

1a) I have run the Extended Test in Windows Memory Diagnostic again and it has found some errors again. They are in INVC, LRAND, Stride6 (Cache Enabled) , WINVC, WStride-6 and ERAND.

1b) I have two 128Mb Memory Modules and it says that the errors are only in one of them but it does not know which one. I assume that I can swap them in and out and re-run the tests to try and identify which one is the problem. How do I do this?

2a) I have checked Device Manager and there are no signs of any conflicts in that there are no exclamation marks displayed against any of the entries.

3a) I assume that my HijackThis Log has not revealed any problems.

ThunderOcean

Edited by ThunderOcean, 30 April 2005 - 08:24 AM.

[greyknight17]

Yes, you can swap them and try it out. Run the test again. I suggest running it on both and make sure that it's only one of them with the errors.

The log you have is clean. The only problem that I see here is that you have two antivirus programs running. I recommend uninstalling one of them now to avoid any conflicts.

[ThunderOcean]

1) I identified the damaged Memory Module (by swapping it in and out) and I removed it. I ran Windows Memory Diagnostic and it did not identify any problems with the remaining Memory Module. I, therefore, assume that any memory problems have been eliminated.

2) Ad-Aware still has the same problem (even after I uninstalled it, downloaded it again and re-installed it). It failed on the initial default run that it prompts when it is first installed.

3) SpyBot completes successfully but it does not detect anything.

4) I ran MicroWorld AntiVirus ToolKit Utility again however, whilst it did not crash, I aborted it after about 20000 files because it so slow. It took around 3 hours to get here (of which 2 hours seemed to be for the last 1000 or so files). It had not identifed anything new at that stage.

5) In addition, I have a problem with ZoneAlarm in that the Programs in Program Control are being reset/removed. I am always being asked to allow access to Programs that I know I have already included.

ThunderOcean

[greyknight17]

So Ad-aware still restarts? Does it give you any errors? If it doesn't give any errors, it's going to be hard to determine the reason behind this. It may be spyware/virus doing this. So let's see.

Let's have a look at this log:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!

For ZoneAlarm, did you check the box to remember the setting? When ZoneAlarm says so and so program wants to go online (and you are 100% sure it's OK), check the box and then hit Allow button. Not sure if you did that already. If you did, we'll have to look deeper and see what's wrong.

[ThunderOcean]

01 - Ad-Aware does not give any error messages. It just re-starts the PC.

02 - I have run L2MFix only to get the message "Not compatible with 9x or windows nt". I assume that it is incompatible with Windows 98 SE.

03 - I have now downloaded and installed ZoneAlarm 5.5.094.000. I will keep an eye on whether or not it saves the Programs in Program Control.

ThunderOcean

[greyknight17]

So Ad-aware still restarts even after taking out the faulty ram/memory?

Sorry about that. Yes L2MFix is made for NT systems (NT/2k/XP). OK, try this instead:

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknigh...spy/Kill2Me.exe
VX2Finder9x http://www.downloads...VX2Finder9x.exe
Hoster http://www.greyknigh.../spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknigh...spy/Cleanup.exe
KillBox http://www.greyknigh...spy/KillBox.exe
DllCompare http://www.greyknigh.../DllCompare.exe

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.c...bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknigh...LNUninstall.zip
ClearSearch Uninstaller http://www.greyknigh...chUninstall.zip

2. Run Kill2Me.

3. Run VX2Finder9x and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.