[kayseet]

Hello-
I have done all the required searches and cleaning up so here is my log. It runs ok for awhile and then the blue screen pops up saying that there is an error and I have to reboot.
Thanks in advance,
Kaysee

Logfile of HijackThis v1.99.1
Scan saved at 8:53:09 PM, on 6/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

[Advertisements]

Hi Kayseet,

We are sorry to have missed your post due to heavy traffic.

I will help you clean your PC

Can you post a fresh HJT log here??

[tampabelle]

Hi Kayseet,

We are sorry to have missed your post due to heavy traffic.

I will help you clean your PC

Can you post a fresh HJT log here??

[kayseet]

Here you go!! Thank so much!

Logfile of HijackThis v1.99.1
Scan saved at 5:37:29 PM, on 6/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://163.181.142.17/wfica.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfr...ll/iftwclix.cab
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com...load/nm1228.cab
O16 - DPF: {5EADE0BC-B99F-4031-B60A-31ECA800E8CF} (TradecSwitcher.Switcher) - http://sas.tradec.co...decSwitcher.CAB
O16 - DPF: {5869FB02-63E4-11D4-A5D3-0050DA5F5B70} (TradecGetRegistryInfo.GetRegistryInfo) - https://sas.tradec.c...egistryInfo.ocx
O16 - DPF: {4492B1D2-6CBD-11D4-958F-00B0D02CEE1C} (TradecDataManager.DataManager) - https://www.01t.net/...DataManager.CAB
O16 - DPF: {4B4A2381-30C9-11D4-80A2-00B0D02CECB2} (TradecAutoCreate.AutoCreate) - https://www.01t.net/...cAutoCreate.CAB
O16 - DPF: {5FB836E6-30E8-11D4-80A2-00B0D02CECB2} (TradecPasteWiz.PasteWiz) - https://www.01t.net/...decPasteWiz.CAB
O16 - DPF: {9EB6A817-B74F-11D4-8168-005004630EB3} (TradecBWAutoCreate.BWAutoCreate) - https://sas.tradec.c...WAutoCreate.CAB
O16 - DPF: {CB13317E-30C9-11D4-80A2-00B0D02CECB2} (TradecValidateEdit.ValidateEdit) - https://sas.tradec.c...alidateEdit.CAB
O16 - DPF: {EBECDD4F-A5D2-407C-9B2E-E455E4E97FBD} (TradecCurrencyCnvrt.Currency) - https://sas.tradec.c...rrencyCnvrt.CAB
O16 - DPF: {5E511804-EC1E-11D4-8180-005004630EB3} (TradecMfgNameMgr.MfgNameMgr) - https://sas.tradec.c...cMfgNameMgr.CAB
O16 - DPF: {7C812FE0-BA23-11D3-8029-00105AA9E599} (TradecSQLControl.SQLQuery) - https://www.01t.net/...cSQLControl.CAB
O16 - DPF: {94356756-0DD4-11D5-95A0-00B0D02CEE1C} (TradecAddCol.AddEditCol) - https://www.01t.net/...radecAddCol.CAB
O16 - DPF: {E140215F-B436-11D4-8933-0050046313EB} (TradecAssignRecipients.AssignRecipients) - https://www.01t.net/...nRecipients.CAB
O16 - DPF: {55F2A52A-327E-11D4-8141-005004630EB3} (TradecSimpleGrid.Grid) - https://www.01t.net/...cSimpleGrid.cab
O16 - DPF: {A1B59EBD-63E7-11D4-A5D3-0050DA5F5B70} (TradecXMLUpload.XMLUpload) - https://www.01t.net/...ecXMLUpload.CAB
O16 - DPF: {E6F29F50-0E1E-44E7-AD07-CD466307ED16} (TradecSwitcher Control) - http://sas.tradec.co...decSwitcher.OCX
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[tampabelle]

Hi Kayseet,


Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp

CWShredder

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

2. Remove Infections

Run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Run CleanUp and delete all temp files including temporary internet files

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC in Normal Mode.

Run an online scan at BitDefender and save the scan report.

Run Hijack This and post a fresh HJT log along with BitDefender scan report.

[kayseet]

here is my Bitdefinder report:

BitDefender Online Scanner



Scan report generated at: Mon, Jun 27, 2005 - 20:06:05





Scan path: A:\;C:\;D:\;







Statistics

Time
00:37:19

Files
106557

Folders
1094

Boot Sectors
3

Archives
391

Packed Files
21550




Results

Identified Viruses
2

Infected Files
2

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
2




Engines Info

Virus Definitions
185777

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
38

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\WINDOWS\Downloaded Program Files\webdlg32.dll
Detected with: Application.Adware.Sbsoft

C:\WINDOWS\Downloaded Program Files\webdlg32.dll
Disinfection failed

C:\WINDOWS\Downloaded Program Files\webdlg32.dll
Deleted

C:\Program Files\NewDotNet\newdotnet6_38.dll
Detected with: Application.Adware.NewDotNet.B

C:\Program Files\NewDotNet\newdotnet6_38.dll
Disinfection failed

C:\Program Files\NewDotNet\newdotnet6_38.dll
Deleted

And my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:07:46 PM, on 6/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://163.181.142.17/wfica.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfr...ll/iftwclix.cab
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com...load/nm1228.cab
O16 - DPF: {5EADE0BC-B99F-4031-B60A-31ECA800E8CF} (TradecSwitcher.Switcher) - http://sas.tradec.co...decSwitcher.CAB
O16 - DPF: {5869FB02-63E4-11D4-A5D3-0050DA5F5B70} (TradecGetRegistryInfo.GetRegistryInfo) - https://sas.tradec.c...egistryInfo.ocx
O16 - DPF: {4492B1D2-6CBD-11D4-958F-00B0D02CEE1C} (TradecDataManager.DataManager) - https://www.01t.net/...DataManager.CAB
O16 - DPF: {4B4A2381-30C9-11D4-80A2-00B0D02CECB2} (TradecAutoCreate.AutoCreate) - https://www.01t.net/...cAutoCreate.CAB
O16 - DPF: {5FB836E6-30E8-11D4-80A2-00B0D02CECB2} (TradecPasteWiz.PasteWiz) - https://www.01t.net/...decPasteWiz.CAB
O16 - DPF: {9EB6A817-B74F-11D4-8168-005004630EB3} (TradecBWAutoCreate.BWAutoCreate) - https://sas.tradec.c...WAutoCreate.CAB
O16 - DPF: {CB13317E-30C9-11D4-80A2-00B0D02CECB2} (TradecValidateEdit.ValidateEdit) - https://sas.tradec.c...alidateEdit.CAB
O16 - DPF: {EBECDD4F-A5D2-407C-9B2E-E455E4E97FBD} (TradecCurrencyCnvrt.Currency) - https://sas.tradec.c...rrencyCnvrt.CAB
O16 - DPF: {5E511804-EC1E-11D4-8180-005004630EB3} (TradecMfgNameMgr.MfgNameMgr) - https://sas.tradec.c...cMfgNameMgr.CAB
O16 - DPF: {7C812FE0-BA23-11D3-8029-00105AA9E599} (TradecSQLControl.SQLQuery) - https://www.01t.net/...cSQLControl.CAB
O16 - DPF: {94356756-0DD4-11D5-95A0-00B0D02CEE1C} (TradecAddCol.AddEditCol) - https://www.01t.net/...radecAddCol.CAB
O16 - DPF: {E140215F-B436-11D4-8933-0050046313EB} (TradecAssignRecipients.AssignRecipients) - https://www.01t.net/...nRecipients.CAB
O16 - DPF: {55F2A52A-327E-11D4-8141-005004630EB3} (TradecSimpleGrid.Grid) - https://www.01t.net/...cSimpleGrid.cab
O16 - DPF: {A1B59EBD-63E7-11D4-A5D3-0050DA5F5B70} (TradecXMLUpload.XMLUpload) - https://www.01t.net/...ecXMLUpload.CAB
O16 - DPF: {E6F29F50-0E1E-44E7-AD07-CD466307ED16} (TradecSwitcher Control) - http://sas.tradec.co...decSwitcher.OCX
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab

[tampabelle]

Hi Kayseet,

Run Hijack This and click on scan. The following items need to be fixed -

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.


Reboot the PC in Safe Mode.

Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

New Dot Net

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

C:\Program Files\NewDotNet <---- Full folder

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log. Also let me know how your PC is behaving !!!!

[kayseet]

Well, I was just typing how I hadn't seen the blue screen of death since last night and then it showed up again!! Ha Ha!

The blue screen says it's a windows error and says the following: A FATAL EXCEPTION HAS OCCURRED AT 0028:C0006585 IN VXD VMM(01)+00005085. tHE CURRENT APPLICATION WILL BE TERMINATED....

I hit a key to terminate and the blue screen comes up with different numbers listed. I do this a couple of times and then I get a blank black screen that only goes away, when I turn off the PC.

Other than that...it did seem to be doing better last night after deleting the 2 viruses.

I went to clear out the files in the Prefetch folder and there is no Prefetch folder. It would not come up.

Thanks again!

Here is my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:03:16 PM, on 6/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://163.181.142.17/wfica.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfr...ll/iftwclix.cab
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com...load/nm1228.cab
O16 - DPF: {5EADE0BC-B99F-4031-B60A-31ECA800E8CF} (TradecSwitcher.Switcher) - http://sas.tradec.co...decSwitcher.CAB
O16 - DPF: {5869FB02-63E4-11D4-A5D3-0050DA5F5B70} (TradecGetRegistryInfo.GetRegistryInfo) - https://sas.tradec.c...egistryInfo.ocx
O16 - DPF: {4492B1D2-6CBD-11D4-958F-00B0D02CEE1C} (TradecDataManager.DataManager) - https://www.01t.net/...DataManager.CAB
O16 - DPF: {4B4A2381-30C9-11D4-80A2-00B0D02CECB2} (TradecAutoCreate.AutoCreate) - https://www.01t.net/...cAutoCreate.CAB
O16 - DPF: {5FB836E6-30E8-11D4-80A2-00B0D02CECB2} (TradecPasteWiz.PasteWiz) - https://www.01t.net/...decPasteWiz.CAB
O16 - DPF: {9EB6A817-B74F-11D4-8168-005004630EB3} (TradecBWAutoCreate.BWAutoCreate) - https://sas.tradec.c...WAutoCreate.CAB
O16 - DPF: {CB13317E-30C9-11D4-80A2-00B0D02CECB2} (TradecValidateEdit.ValidateEdit) - https://sas.tradec.c...alidateEdit.CAB
O16 - DPF: {EBECDD4F-A5D2-407C-9B2E-E455E4E97FBD} (TradecCurrencyCnvrt.Currency) - https://sas.tradec.c...rrencyCnvrt.CAB
O16 - DPF: {5E511804-EC1E-11D4-8180-005004630EB3} (TradecMfgNameMgr.MfgNameMgr) - https://sas.tradec.c...cMfgNameMgr.CAB
O16 - DPF: {7C812FE0-BA23-11D3-8029-00105AA9E599} (TradecSQLControl.SQLQuery) - https://www.01t.net/...cSQLControl.CAB
O16 - DPF: {94356756-0DD4-11D5-95A0-00B0D02CEE1C} (TradecAddCol.AddEditCol) - https://www.01t.net/...radecAddCol.CAB
O16 - DPF: {E140215F-B436-11D4-8933-0050046313EB} (TradecAssignRecipients.AssignRecipients) - https://www.01t.net/...nRecipients.CAB
O16 - DPF: {55F2A52A-327E-11D4-8141-005004630EB3} (TradecSimpleGrid.Grid) - https://www.01t.net/...cSimpleGrid.cab
O16 - DPF: {A1B59EBD-63E7-11D4-A5D3-0050DA5F5B70} (TradecXMLUpload.XMLUpload) - https://www.01t.net/...ecXMLUpload.CAB
O16 - DPF: {E6F29F50-0E1E-44E7-AD07-CD466307ED16} (TradecSwitcher Control) - http://sas.tradec.co...decSwitcher.OCX
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab

[tampabelle]

hey Kayseet,

Just when I was hoping that everything is fine !!!!!!

Ok, we are in for another scan because the HJT log doesnt look so bad.

Please visit Kaspersky and do an online scan.

Post the scan report here

[kayseet]

Ok- I did the scan and they came up clean. I didn't do an email scan cause I don't use outlook. I just use my yahoo email. On a positive note, my computer hasn't frozen up or shown me the blue screen since earlier today.


Here are the results:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Tuesday, June 28, 2005 20:18:07
Operating System: Microsoft Windows 98 SE
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/06/2005
Kaspersky Anti-Virus database records: 135728
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - Critical Areas:
C:\WINDOWS
c:\windows\TEMP\

Scan Statistics:
Total number of scanned objects: 9420
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1941 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Tuesday, June 28, 2005 21:21:37
Operating System: Microsoft Windows 98 SE
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/06/2005
Kaspersky Anti-Virus database records: 135728
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 15983
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 3748 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

[tampabelle]

Hi Kayseet,


Please download VXD_FIX.zip and save it on your PC.

1) Extract the file to your hard drive.

2) Put your Windows CD in your CD Rom drive.

3) Then execute the VXD file, it will ask you which drive letter
represents your CD Rom drive... just follow the prompts.

4) It will seek out your CD Rom drive, take the required files
from the Install CD and rebuild your VMM32.DLL file...
and will then update your Windows installation.

Let me know how your pc is behaving !!!!!

[kayseet]

Hey-

I am on the hunt for my Windows CD. My computer was donated to me by my work so, we are searching. I will let you know ASAP how it goes.

Thanks again for all your help!

[tampabelle]

If you can get any Win 98 SE CD, that should do !! It need not be the CD from which it was installed on this PC.

[kayseet]

Ok- I ran the VXD_fix and it is running a little bit better. It is now lasting longer before I getthe blue screen. The lasttime I got it it was this error:

FATAL EXCEPTION OE HAS OCCUURED AT 0028:FF03FD21. PROGRAM WILL BE TERMINATED.

I hit enter and it brings me back to my desktop, but I lose my internet connection and it shows that it is still connected.

I then get the screen again and it freezes up completely.

Thanks!

[tampabelle]

Hi Kayseet,

It is clearly a issue of driver conflict / incompatilibity.

Can you tell me if you have installed any hardware / software at any time just before the problem started ??

I am also checking with my colleagues on this.

[kayseet]

Honestly, this has been going on for so long, I am not sure. The last thing I remember installing was the driver for my printer, but I can't say whether this was before or after the blue screen showed up. I wish I had more info for you, but I kind of put off fixing the situation for awhile.

Thanks!