[admin]

I suspect this entry is a trojan:
C:\WINDOWS\SYSTEM\WEBCHECK.EXE
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\webcheck.exe
Try this software that has a 30-day free trial:
http://www.moosoft.com/

Looks like a virus or worm:
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\RunServices: [System32] System32.exe

It doesn't look like your anti-virus is performing very well for you. Here's another free online virus scan: http://housecall.antivirus.com/

Also, you may want to consider AVG's very good free version: http://www.grisoft.com/
But, only have one anti-virus software program running on your system at one time.

[Advertisements]

admin,

The Cleaner is a good software, infact as you told there was a trojan, but not only one!! This software found 13 trojans on my system !! Here is another HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 18:01:37, on 16/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WEBCHECK.EXE
C:\WINDOWS\TWAIN_32\CIS600X\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\WINDOWS\DESKTOP\PROGAMS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\PROGRAM FILES\SAFEGUARD POPUP BLOCKER PRO\SGPOPUPBLOCKER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\SYSTEM\SFG18B1.DLL
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MailDefense] C:\Program Files\InDefense\MailDefense\maildefense.exe 0
O4 - HKLM\..\Run: [ndpwatch] C:\Program Files\InDefense\MailDefense\ndpwatch.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [System32] System32.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\webcheck.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CIS600X\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone...0.20/tukati.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masmin.../aplicacion.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab


What do you say about this log? I Hope that my pc is clean!

Thank You very much for your patience

[alandemartino]

admin,

The Cleaner is a good software, infact as you told there was a trojan, but not only one!! This software found 13 trojans on my system !! Here is another HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 18:01:37, on 16/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WEBCHECK.EXE
C:\WINDOWS\TWAIN_32\CIS600X\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\THE CLEANER\TCA.EXE
C:\PROGRAM FILES\THE CLEANER\TCM.EXE
C:\WINDOWS\DESKTOP\PROGAMS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\PROGRAM FILES\SAFEGUARD POPUP BLOCKER PRO\SGPOPUPBLOCKER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\SYSTEM\SFG18B1.DLL
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MailDefense] C:\Program Files\InDefense\MailDefense\maildefense.exe 0
O4 - HKLM\..\Run: [ndpwatch] C:\Program Files\InDefense\MailDefense\ndpwatch.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [System32] System32.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\webcheck.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CIS600X\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone...0.20/tukati.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masmin.../aplicacion.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab


What do you say about this log? I Hope that my pc is clean!

Thank You very much for your patience

[admin]

Still some cleaning to do. Let's try this, reboot in safe mode (by tapping F8 at startup and selecting safe mode from the menu).

C:\WINDOWS\SYSTEM\WEBCHECK.EXE
O4 - HKLM\..\Run: [System32] System32.exe
O4 - HKLM\..\RunServices: [System32] System32.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\webcheck.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log.

[alandemartino]

Logfile of HijackThis v1.97.7
Scan saved at 08:06:14, on 17/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WEBCHECK.EXE
C:\WINDOWS\TWAIN_32\CIS600X\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\PROGAMS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\PROGRAM FILES\SAFEGUARD POPUP BLOCKER PRO\SGPOPUPBLOCKER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\SYSTEM\SFG18B1.DLL
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MailDefense] C:\Program Files\InDefense\MailDefense\maildefense.exe 0
O4 - HKLM\..\Run: [ndpwatch] C:\Program Files\InDefense\MailDefense\ndpwatch.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CIS600X\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone...0.20/tukati.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masmin.../aplicacion.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab

What my pc Status now?

Thank You very much

[ditto]

well webcheck.exe is still there so we need to get rid of this. Did you restart in Safe Mode?

Also, is you maildefense program expired?

[alandemartino]

ditto,

When i tapped [F8] nothing happened. Does that depend on the system? Just for
my knowledge, when you start in safe mode what do you expect to happen? Does it decrease the risk of being infected? Anyway my mail defense is expired!!

alandemartino

[admin]

When i tapped [F8] nothing happened. Does that depend on the system?

You need to continue tapping F8 until a menu appears, an alternative that works on most systems is to hold down the Control (Ctrl) key while rebooting.

Just for my knowledge, when you start in safe mode what do you expect to happen?

You'll start Windows in a special diagnostic mode, and you'll see the words "Safe Mode" in each corner. Safe Mode loads a very limited set of protected drivers, and allows removal of processes that may be running when running Windows in normal mode.

[ditto]

If maildefense is expired and you don't use, then please uninstall it. I think it may be giving you some trouble.

[alandemartino]

I started the windows in SafeMode (by pressing [CTRL ]) and i ran HijackThis. By the way i can't uninstall Mail Defense beacuse it doesn't have the uninstaller. I deleted it, did i do the right thing? Thank you all!

Logfile of HijackThis v1.97.7
Scan saved at 09:33:34, on 18/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\PROGAMS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\PROGRAM FILES\SAFEGUARD POPUP BLOCKER PRO\SGPOPUPBLOCKER.DLL
O2 - BHO: (no name) - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\PROGRAM FILES\SMARTPOPUPBLOCKER\POPUPBLOCKERBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\SYSTEM\SFG18B1.DLL
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MailDefense] C:\Program Files\InDefense\MailDefense\maildefense.exe 0
O4 - HKLM\..\Run: [ndpwatch] C:\Program Files\InDefense\MailDefense\ndpwatch.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CIS600X\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O10 - Unknown file in Winsock LSP: c:\program files\indefense\maildefense\ndpwsspr.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone...0.20/tukati.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masmin.../aplicacion.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab

[ditto]

Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of [ndpwsspr.dll]. Reboot and post a fresh log.

[alandemartino]

Logfile of HijackThis v1.97.7
Scan saved at 16:58:34, on 18/04/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\PPMEMCHECK.EXE
C:\PROGRAM FILES\STOMPSOFT\SPYWARE X-TERMINATOR\COOKIEPATROL.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TWAIN_32\CIS600X\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\PROGAMS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: SafeGuard Popup Blocker - {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} - C:\PROGRAM FILES\SAFEGUARD POPUP BLOCKER PRO\SGPOPUPBLOCKER.DLL
O2 - BHO: (no name) - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\PROGRAM FILES\SMARTPOPUPBLOCKER\POPUPBLOCKERBHO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\SYSTEM\SFG18B1.DLL
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ndpwatch] C:\Program Files\InDefense\MailDefense\ndpwatch.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\CIS600X\WATCH.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Popup Blocker Options (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone...0.20/tukati.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masmin.../aplicacion.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab


By the way i have a problem on removing Spyware X terminator Trail Version, becuase i does'nt have the unistaller!

[ditto]

Try Add/Remove Programs located Start->settings->control panel. Click on the Add/Remove Programs icon and then scroll down and look for Spyware X terminator.

Let me know if its there.

[alandemartino]

Hey .. Thanks ditto it's there and i uninstalled it!!! What about my logfile?

[ditto]

It looks good to me . Are you still having trouble?

If everything seems to be working okay you can delete the Hijack This folder.

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
Link to SpywareBlaster: http://www.javacools...areblaster.html

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

[alandemartino]

Thanks Ditto now it is better, but when i have up to 3-4 windows opened, and i minimize one, it takes time to minimize (it is not minimize all at once, but it is like split in three, and then each part is minimize - one after the other). Also when i have about 3-4 opened windows, if i restore a window, only the window border is restored and the background remains the same as it was (ex. desktop or another window). But when i close a window and then restore the first one again everything works fine!! I checked the computer performance to see whether it is low in resources but it was 70%. Do you think that it's some sort of a virus? Any help is appreciated