[FATTYFISHER]

Hello again folks

This isnt really that important, its the Ex's PC, im due to build her a new one anyway (well, for the rugrats anyway).

I did a highjack this scan on it, got rid of all the obvious rubbish, like the adbar and shopbar junk, but before i go deleting the rest of the junk, I could just do with some conformation if you wouldnt mind, on the ones that are disguised as legitimate windows wear.
Basically its crawling along, IE chucks up countless "must close" errors, and her cable connection might aswell be a 28.8kb modem!

So if you get chance, and wouldnt mind a quick look at the list, i would be most greatfull, especially as it buys me a bit more time to sort her new one.

Many thanks

Ian

StartupList report, 26/01/04, 22:06:08
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
C-Media Mixer = Mixer.exe /startup
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
PCCIOMON.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe
PCCIOMON.exe = "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
PCCPFW = C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
MiniLog = C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 8/12/2003, 21:44:20)

[rename]
NUL=C:\WINDOWS\INTERN~1\TVDEBUG.LOG
NUL=C:\WINDOWS\TEMP\ZAUNINST.EXE
NUL=C:\WINDOWS\TEMP\VSINIT.DLL
NUL=C:\WINDOWS\INTERN~1\TVDEBUG.LOG
NUL=C:\WINDOWS\SYSTEM\VSUTIL.DLL
NUL=C:\WINDOWS\SYSTEM\VSDATA.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------


Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...7864.1655555556

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
CODEBASE = http://fdl.msn.com/p...t/msnchat45.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
CODEBASE = http://messenger.zon...StatsClient.cab

[Checkers Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSGRCHKR.DLL
CODEBASE = http://messenger.zon...ry/msgrchkr.cab

[Scanner Class]
InProcServer32 = C:\TEMP\TDECNTRL\TDECNTRL.DLL
CODEBASE = http://www.trojansca...an/TDECntrl.CAB

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
CODEBASE = http://ftp.hp.com/pu...er/isetupML.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MINESWEEPER.DLL
CODEBASE = http://messenger.zon...MineSweeper.cab

[SimCityX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SIMCITYX.OCX
CODEBASE = http://simcity.ea.co...ic/SimCityX.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,309 bytes
Report generated in 0.233 seconds




Logfile of HijackThis v1.97.7
Scan saved at 22:05:01, on 26/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7864.1655555556
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojansca...an/TDECntrl.CAB
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab

[Advertisements]

I'm just on the way out the door, so I'm only able to gice it a quick glance, but I don't see anything that jumps out at me. Looks good. I'll review closer when I get more time and reply if I notice anything.

[admin]

I'm just on the way out the door, so I'm only able to gice it a quick glance, but I don't see anything that jumps out at me. Looks good. I'll review closer when I get more time and reply if I notice anything.

[admin]

Oops! I was in a hurry. Missed these the first time. Restart Hijack This, check the following items and fix:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra button: Ebates (HKCU)

It looks like your protected from viruses and trojans, I don't see any resource hogging startup items, and you're running a current patched version of IE. Hopefully with the changes you made this will do it.

[FATTYFISHER]

Many Thanks kind sir!

Will go and give it a tweak tommorrow night.

Thanks alot

Ian