This is my very 2nd (second) issue with the g2g team/staff..
This time, another WIN98SE Malware-Removal issue: my backup school work-study computer.

I've had some problems that may suggest the machine may need the cmos battery replaced: the clock has been acting up in various ways (from both being unplugged and while remaining plugged) as well as (though i'm unsure if related) new power management setting profiles refusing to remain saved.. and regarding the clock, sometimes it will be unplugged for about 20 min or so, and that's the total time lost when replugged back in at another locale (as i have been doing malware removal up on campus and have been toting the machine up onto campus for most of the downloads). I have a replacement battery lined up at a local store whose technician is currently tracking down a mobo upgrade for my original pc (primary school work-study computer), which they are willing to sell for five dollars, but the jury is still out as to whether i need the battery or not. I am curious what the opinion will be of the geeks to go staff member who decides to help me.

Regarding the connection problem: it seems i've been having dialup problems on 2 or 3 pc machines which i have been doing malware removal on, this year, from home (as opposed to ethernet connection to the school's lan right now, on those days which i am up on campus with the pc). These three machines have all had varying degrees of problems from time to time when connecting via 56k modem dialup from home, and all three having three differing types of modems, but all three running win98se, and connecting to the school's network via dialup. The most recent difficulty i have experienced, is that, i can connect to sites such as msn's entertainment tv guide listings, or to google for web browsing searches, but!.. i am completely unable to connect up on campus to the few major sites therein which i tried (again, mind you, using dialup networking modem connection on win98se from 56k modem dialup from home). Please Help! Also, I will be trying to take my machine up to the OIT department to see if they can fix it directly from there. (I've struck out on the cs campus though, as the student computer support team member found little to help me with there at the scst office, as they have no more dialup connections from that campus - it's all voip or something else or other, not sure, sorry: regardless though, it's not normal dialup any more up here).

Finally, I would just like to know if any of the above issues could be explained via any possible malware that may yet remain on my (this) machine, and what you would suggest:

I've provided the HJT here-in, bottom (below), and as for the "start_here" page, everything seemed to go off ok, i hope: aaw removed a ton of stuff, and avg found a bunch of warnings of things i had previously put on my own system myself, with a little c programming and a bat file i wrote - some possible false positives all of my own doing (?perhaps?). However, as for the rest of the malware removal, if i'm remembering correctly: i ran both housecall (which came up empty - no infected files) and activescan (which came up with 7 objects of spyware and 1 object of adware) which were Not disinfected.

I kept logs of everything and as with my last case, i endeavored to do all instructions in the order in which they were prescribed, again, as per the "start_here" page.

One thing notable is that i've recently reinstalled win98se on this machine, but the errors i received, i'm told by the scst team here (student computer support team), should Not have anything to do with the problems i'm experiencing: i eliminated the anti-virus faults by re-installing again from win98se startup disk clean-bootup method; and 2nd of three errors regards having a 5.25" floppy drive connected when win98se setup is looking to create a startup disk and thereby getting drive errors writing to A: and finding a 5.25" there; and lastly, third of three errors, ..

c:\Program Files\Common Files\SYSTEM\wab32.dll

..was reported at the end of both reinstalls also (in addition to the startup disk creation error), as being wrongly installed or possibly corrupted, but again, scst reported that this dll has to do with windows outlook express address book files or some such, and i dont use any sort of local email, other than webmail (via ie6 or netscape 4.77) from hotmail and also a custom client for the school, via the webfront, from time to time (otherwise i read my mail from a telnet or ssh (putty) client from one of my school unix/linux accounts).


Logfile of HijackThis v1.99.1
Scan saved at 11:18:43 PM, on 10/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet....arch/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
F1 - win.ini: load=ptsnoop.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "about:blank"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/o...utodetect98.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

Hi bri...

Wow! Exceptional information!

I'd say the CMOS battery diagnosis is probably correct...all the signs are there. (This may possibly explain the 5.25" floppy showing up, too, if BIOS isn't holding it's settings)

As for the connection problems...have you tried adding the URLs of the sites you can't access to Zone Alarms "Allowed List". Firewall denial would be my first guess on that one.

The WAB file is, indeed, the Outlook Address Book so no worries there.

I may have.. "skewed".. some of that, just a bit (perhaps moreso), so i apologize if the info is not quite so ''exceptional'' (in the usual meaning) as might have been thought, but rather perhaps, as in, "threw the (?proverbial?) 'exception'": ... i have had an actual 5.25" installed (mounted myself, both hardware and software.. "-wise'es"), for quite some time now (as i had intended to investigate some freeware and shareware programming examples, for my use in learning more of my own programming (in at least one particular case: how to produce characteristic sounds from out of the pc builtin speaker (though, i've heard one can purchase this type of software, i wish to learn how to code this, in order to rightfully incorporate such within my own software applications (i used to play long ago with some apple//e code examples of such using the apple //'s peeks and pokes)) ...and i digress again: pardon me, for my.. malhabitual hazard: seems to go with the schizophrenia sometimes. .....

So, yes, the 5.25" drive is suPposed to be there.
But i still wonder that those other indicators may point towards the cmos battery, as you say, so my next step is to buy it and install it, i suppose.

Kat, and you all, confirmed to me last night that my old backup study pc is malware free, and Kat indicated i could go ahead with the protections to reduce re-infection potential for malware in the future. So i did. And i'm finished. I went at it til i was done: everything, including the kitchen sink, practically. And that's a lot of fun. *heheh* Seriously though, i got the sun java jre, and firefox, all the anti-spyware, and almost everything listed in Insipid's list on my previous malware issue (save for the multipled items), and came home, set her up on the kitchen table, and though the sites still take considerable long to load (expected with a 450mhz processor perhaps<?>, though i lowered the screen resolution and this seems to help some). So, now i can get through to the isp (school's) main pages, but i still got kicked off about 20 minutes after logging on (which is Not a school "timeout" interval), so i've tried lowering the values for the modem's advanced port settings (lowered both: receive buffer by one to 14, and transmit buffer by one to 16 (odd that: the values seem to remain the same, but the notches on the tool control did indeed lower by one each a piece), and i seem to be getting a longer uptime, but i remain unconvinced - plus the keyboard lag is pretty unbearable - at some point, i may try gathering some funds for a ram increase, if you think that might help.<???>

I'm not sure whether this setting change has sped up webpage loads yet, or not, but after all of the cleaning and protections, at least the first time up on the main college pages, seemed to remain "hooked" til the very tail end of the load, at which point the load went much faster - could this involve a setting i seem to remember reading about, wherein the browser front loads the download transfers, and only thereafter, loads the pages??
And might this only affect non-previously cached pages?
I'm trying to switch over to firefox now, and have set it as my default browser, since installing it this morning, since i've preferred netscape for ages, and have learned to appreciate the way mozilla works, from use of it this past half year now (or since perhaps before i installed it onto my friend's machine, which was the first malware removal (or case) i performed with g2g).

Thanks to all, who took time out during the ballgame (2005 world series) last night, and especially Kat and those who spoke with me, and for me (on my behalf), and in particularly, wannabe1, for handling my issue/case .. thanks.! :tazz:))..


p.s. i was really mostly curious whether the machine was clean, and, just for the record, if i'd have thought of the game, i'd probably have called a delay on mine own.. my apologies, all. Enjoy!

p.p.s. one last thing: one of the things i had been needing to do, was a Zone Alarm update (which i also did - high speed connections are a wonderful thing), so that may have played a hand in the issue, in case people were wondering. :)

hey Wannabe1 .. you still out there ? I'm sorry it's taken me this long to determine this additional update needed doing..... ..but i've been trying to figure out how best next to proceed, and trying to determine a few intermediary steps on my own, with help from the university tech support helpdesk.

It seems that my modem problems are still lurking, and i'm wondering if i'm experiencing further hw probs.

I had the cmos battery replaced, which fixed some things, including the clock problems - she keeps the correct time now. HowEVer.. This is interesting - under my power profile display properties, energy saving settings - i am STILL UNable to save a power profile - i had thought that replacing the cmos battery would fix this, but apparently there is something Else at play here, any ideas ? (read on..)

I keep getting Win98SE OS error messages on a number of applications (i.e., the white centered half-screen-sized thin-bordered generic error messages that have only 2 grey active/enabled buttons, Close and Ignore, which state: ..


..<tab> An error has occurred in your program. To keep working anyway, ..
click Ignore and save your work in a new file. To quit this program, click Close. ..
..<tab> You will lose information you entered since your last Save. ..

....... [Close] ................. [Ignore] ""

..) ...and the last time this error occurred was with a-squared, which i still cannot get working properly - she'll sometimes do the updates properly, but i have yet to get an initial, complete scan in. The above error comes up with the "<program_name>" of "A2scan". (And as i stated, a number of other apps have come up with this type of error now, from avg and spywareguard, i think, even unto such ones normally totally free of this type of OS error, PuTTY.)

I wonder if maybe i could be experiencing some memory chip problems.

The help desk technician suggested (after hearing my modem woes, which still appear to be going on, with varying, random degrees of infrequency - i will have connections drop right in the middle of a connect session, only the modem will stay in the lower right corner task-bar system tray, and i can ping the dialup service ip FROM HOME USING DIALUP MODEM, as well as, at the same time, the temporary network ip, which i thought was only supposed to be accessible at the place i made that ip to be available/accessible (up on the ethernet at school (see previously within this post for further information)), But!..neither IE6 nor putty nor telnet, nor anything else i think to try to connect will work (again, while the modem system tray icon is still active) -- all there is for me to do is, disconnect, using the system tray icon, and then retry to connect, which often works, but i've also had days when this wont work, and i need to reboot in order to get connections to work --- and i've even had rare days, when i've been entirely unable to get connections to work at all no matter what i do, and i'm really rather unsure that i've done anything to correct this now - especially if it turns out to be an intermittent hardware problem) ....well anyway, back to what the univ helpdesk tech suggested - he stated that it appeared to him to either be a modem configuration problem (but now since then, i've gone through the help page for total configuration of win98se modem dialup connections to our network from home to dialing up onto campus, and while the connections may (or may NOT, i remain unsure even yet) ..have improved, i am yet experiencing *some* disconnects and drops, similar to before (the modem icon remains avail on system tray, but nothing works for ppp (point to point connection), nor any other type of transfer, aGain, *unTil* i drop connection and redial, at which point, it will again occur given some apparently random interval of time... Anyway, the 2nd thing he suggested, was to totally redo my ZoneAlarm settings, but i do not see how this could be the problem, as my connections work fine, but, without changing ANY settings ANYwhere in my os or any software, my browsing session (or telnet or putty) will simply cease to function (communicate).. i can see the zonealarm and modem system tray icons doing transfers, but the apps simply wont connect - ie6 comes up with a page not found Error web page, and other applications give their own error messages indicating no link to be had - putty states Putty Fatal Error, Network Error, and then either Connection Reset by Peer, or at other times, Connection Timed Out... (and i forget just what the error is for telnet but it's that standard one for no connection to be had).

... so i've been CONSIDERing picking up an old used ISA modem, which is what this old puppy needs, for about 10 or 15 dollars from a local thrift shop, but again, i am unsure this is necessary. It seems that a ZOOM Modem external (14.4kbd), which i'd been using for an old mac and my apple //e's and ][GS'es, ..Also gives the exact same behaviour and i know for a fact that this modem is good - it works just fine on slip connection from upstairs on the old apple ][GS.

Again, this machine of mine, i'm trying to fix, is an amd, k6-2, 450mhz pc.

Also for reminder, is that, i have REinstalled win98se a number of times on this machine.

I have made preparation to totally reinstall ZoneAlarm (with Fresh config's thsi time), but as yet have deferred to do so, until such time as it is further indicated as being useful - at this time, i simply see no need to do so, when i'm browsing and doing nothing else, and suddenly NO New pages NOR any further types of connection attempts succeed. No settings were touched, it simply and suddenly happens without any intervention on my part, and i fail to see how any software can be doing this to me, although i concede the possibility that occassional scans or checks could be going on in the background.

Something else that suddenly comes to mind, is that, on occassion, and it seems this *may* yet be going on: at times, it appears as though two different types of dialup connection apps, both win98se os apps though, will be vying for the modem (although the other one is a normal win98se type and not some winXP clone type of which i have previously seen, i believe elsewhere).


I would like to seperate this final section from the rest of the post:..

Hear Are The Things I Would Like to attempt to correct, as of now:..

Duplicate startup items (shown from within msconfig):..

There is a 2nd startup item called "LoadPowerProfile" - perhaps this is why i'm unable to save any power profile schemes ? (both of these schemes seem to list the exact same 'exec-line' description w/in msconfig)

There is a 2nd startup item called "Tweak UI" - one of the 'exec-line' descrips, ends in a parameter, "TweakMeUp", while the other ends in a parameter, "TweakLogon".

Those are the only Duplicated startup items.

However, there appears to be some more that need fixing, and these may possibly (or may not) be the source of some of the above-stated (and defined) os error dialog windows (generic white ones), regarding PestPatrol, which i had thought i had successfully and properly UNinstalled, previous to installing AAW for the first time (ad-aware).

Can we remove these two references to Pest Patrol, please? (perhaps using hijackthis)

""PestPatrol Control Center _<tab>_ C:\PROGRA~1\PESTPA~1\PPControl.exe""

and also, secondly of two,

""CookiePatrol _<tab>_ C:\PROGRA~1\PESTPA~1\CookiePatrol.exe""

I'm also curious, regarding startup items, whether it is possible to undo Windows Critical Updates - with dialup modem connections, the Trickler built into this app is REALLY annoying at times - although, it seems this annoyance may possibly be somewhat abated, if we spend the time to actually allow it to trickle, although i'd preFer a fully defined download dialog, complete with progress bar *groan* ...ALSo!.. i keep up with windows critical updates often enough on my own, in my own honest opinion - although, truthfully, i suppose the periods between my manual treating of windows critical updates for my win98se may be insufficient as regards even perhaps passing security measures/standards. *shrugs* I have no fear of diong them though, and when ie comes up with the suggestion, i will quite often take the time to do them, providing other support is in place, such as having a clean system (from malware) or configged properly, or just having the immediate time to do the job, etc. But i do not mind doing it when i have the time to do so, and more often than not, that is precisely what i do - take the time to do the windows critical update.

I believe the app in question, is: wucrtupd.exe

My own original system remains quite functional (although it will hopefully get the next malware removal op, or the one after that, failing that), without ms'es own annoying wincritupd ever having been installed, with just the ie6 reminders, and my own prudence and timely maintenance. Really, i would Not mind MS'es own auto-updater at all, if it were not so very.. annoying, for us poor modem dialup users. Sorry if this has come out to be more of a rant than a request for help.. lets get back to the issue, please?

One last word about the modem Dial-up Connection difficulties: that zoom modem i mentioned, i had it trying to connect to the university network from home, After the internal modem, more or less, 'seemed to go bad', for lack of better descrip.. so, that is to say, the connection would 'fault,' and then i would have to disconnect, using the modem system tray icon, and then i would immediately try to bring up a zoom external 14.4kbps modem connection (and the univ dialup pools DO Support this speed, and i Have Had ppp connections working on this machine with this modem - again, it just requires a redial or a reboot, failing that), but to no avail - this connection comes up, but no application will work: i get the exact same thing as the internal modem - browser apps come up with page not found Error web page notices, and putty and telnet show connection failures.

I apologize for the disorganization, this time. I'll try to wrap this up here.

I had written down "two different types of modem problems" and i think this just means, both faultings while connected, and also, failures at re-dialing, though i can see this may be the exact same problem, again, especially if it's hardware related, as i dont know much really, about either the software or the hardware.

I am still considering whether to buy a cheap 10-15 dollar ISA-slotted replacement internal modem card for this machine, from a local thrift shop that also deals in used pc's and parts.

I have also considered attaining a small backup hd for this system, in order to attempt complete ghosting or transferring of all essential data and a clean reinstall of win98se.

(I do Not have Norton Ghost, and may need a link at some point to a (preferrably) free- or (possibly) share-ware alternative.)

Seems like there was something else i wanted to ask you to help me correct, Wannabe1, but i cannot think of it just now. Well, perhaps it will come to me a bit later on...

Please reply at your convenience,
  • 0

