Posts by ajelliott

As it turned out... I did take the time to learn Dreamweaver and went on to create several web pages for other orgs as volunteer support and as a way to build up web building skills.

I now use it at work and maintain our company site. More recently work has agreed to purchase the Adobe Web Premium suite for me to use which will have an updated version of Dreamweaver, Photoshop and all the other cool bells and whistles. I can’t wait!

Thanks for all the suggestions; it was great to read all the responses.

:)

Reboot computer ,hitting the f8 key and ente safe mode ,and run all the scan program in safe mode .

Sorry this did not solve the problem.

AVG did not find any virus while in safe mode but I know they are still there. Maybe a review of my HJT log will help.

Thank you in-advanced.

I used the Merijn HJT tutorial to identify many problems from start/search pages to auto loading programs, BHO's (R0s to 018s) to extra protocols.

I was able to eliminate many things going on, however there is something more evil lurking in the background and the Trojans are popping up all over. I cant get it under control fast enough to slow it down enough to see what's what.

I think there is a lot of crap happening in the section before the ROs in the section called "Running Process" which I suspect may be repopulating the viruses, causing a spiral of out of control.

AVG & Norton can't get it under control and CWShreader says its not a cool wave variant. Some of the stuff detected is: TH Downloader.Small.9x, Backdoor.SdBot.69.Ag (changes variations by the minute) Startpage.11.A, Proxy.7.F and the very persistent Backdoor.Flood.

Merijn, I think removed the articles regarding evaluating "Running Process". Probably everything after the "D:\Downloads F\Tech Support\HijackThis.exe" line is bad.

Even though I would like to be independent and solve this problem on my own I need help on this desperately, please.

updated Win 2000 Pro on a P3-450 & 256 MB ram

Logfile of HijackThis v1.97.7
Scan saved at 10:26:41 AM, on 31/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

HJT Log:

ogfile of HijackThis v1.97.7
Scan saved at 4:23:25 PM, on 06/27/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\AJE HELP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signin.ebay.ca/aw-cgi/eBayISAPI.dll?SignIn&UsingSSL=0&pUserId=&ru=http%3A%2F%2Fcgi1.ebay.ca%2Faw-cgi%2FeBayISAPI.dll%3FMyEbayLogin%26pass%3D%7B_pass_%7D%26userid%3D&pp=pass&pageType=174&i1=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home Network Version 1.7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: EasyPhoto Launch Pad.lnk = D:\EasyPhoto\Ezlaunch.exe
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 …

I have an opportunity to work Microsoft's Small Business Server and have been studying up on the specs. They claim they have great security built into their infrastructure.

The following is a small blurb from: http://download.microsoft.com/download/1/9/9/19965e37-b219-4196-9ed7-a8d36227c5bb/WindowsSBS2003-businessvaluewhitepaper.doc

Sounds great, and in all the white pages I have been reading there is wonderful marketing information... but what I am looking for is real experience from IT professionals that know what security issues I may expect.

"Windows Small Business Server 2003 is built on Microsoft Windows Server 2003, the operating system that has increased available services by 275 percent while mitigating attacks against the server by 60 percent. Wizards simplify security settings and help to make sure that all the necessary security steps are taken. Windows Small Business Server 2003 includes an internal firewall and also supports external firewalls. In fact, Windows Small Business Server 2003 contains tools that protect your business automatically.

Increased confidence in the IT infrastructure represented 12 percent of the identified benefits in the survey. The increased stability and security of Windows Small Business Server 2003 leads to a reduction in IT issues, allowing for savings in IT support expenses".... blah, blah, blah.

Please let me know your concerns.

Glad we could help AJ; I hope you're getting well paid for this new-found role of "Family Computer Fixer" that you seem to have falllen into.... :mrgreen:

- Marking as solved

I dont get paid at all, except for the knowing that I have helped them stay intouch.

I am apart of a large family in a small community. Many of my family have moderately old computers, which they use to maintain contact with each other and friends. A virus here spreads quickly within the community to those who have little to no computer training. Many individuals live on fixed or lower incomes so this service is a great and needed value.

It is my goal to help educate by teaching safe computer practices and passing along the tools that help to keep their systems up to date and protected. I provide assistance free of charge because it feels good to help people I care about to maintain an independence and connection, which without may otherwise be inaccessible.

Your assistance is greatly appreciated by us all.

I will apply the suggested fix and repost the HJT log.

Pam's system is running great for an oldie. It does what she needs and considering the limits of income; your assistance in helping me to keep her system running well has greatly enabled her world.

Blessings to you!

Installed Ad-Aware and found 287 pieces of spyware.
ran spybot and found 26 problems and fixed.

Here is the latest HJT log: Your feed back is appreciated greatly.
Logfile of HijackThis v1.97.7
Scan saved at 11:01:55 PM, on 16/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\DESKSITE\BIN\CMA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\LIME_SHOP\LIMESHOP0.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\JAVASOFT\JRE\1.3.1_04\BIN\JAVAW.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LIME_SHOP\LIMESHOP1.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) …

Just started working with Jenifer's computer. Her system has a lot of stuff that is slowing the system down.
Compaq Presario Celeron unknow processor speed, running 95 mb Ram :?:

There is a XMI, Parse.dll message at start up.
Ran updated CWShreadder revealed no bad CSW.

Please help her by advising what items are suspect running on her system.

Logfile of HijackThis v1.97.7
Scan saved at 10:00:40 PM, on 16/06/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GATOR.COM\GATOR\GATOR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETRATINGS\PREMETER\PRMT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHSURVEY.EXE
C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHAGENT.EXE
C:\PROGRAM FILES\DESKSITE\BIN\CMA.EXE
C:\PROGRAM FILES\LIME_SHOP\LIMESHOP0.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HOTBAR\BIN\4.4.6.0\HBINST.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\JAVASOFT\JRE\1.3.1_04\BIN\JAVAW.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LIME_SHOP\LIMESHOP1.EXE
C:\CPQS\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
…

Ran the suggested fix and rebooted in safe mode but didnt find the sn p32m.exe even after setting the os to show hidden files.

Here is the updated HJT log. :lol:

Logfile of HijackThis v1.97.7
Scan saved at 1:02:57 PM, on 6/14/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - …

While on the subject of learning I have another question...
Its related to the first so I dont think it should be a new thread.

When you look at the HJT log, what is it that we're looking at? It not a task list; is it a portion of the registry of running processes? What word or terminology would you use to describe the contents of the log file?

Okay so that's 3 questions.....

Older system running Windows 98
Ran CWshreadder no problems
AVG sees Dyfica Trojan without being able to fix it.
Ran Spybot and fixed 17 problems.

Please analyse her HJT log. :lol:

Logfile of HijackThis v1.97.7
Scan saved at 12:07:40 PM, on 6/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\AE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SNP32M] C:\WINDOWS\SYSTEM\SNP32M.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] …

I am inspired to respond to your question for several reasons. First of all, if you are a quick learner you will probably love going to school. I went to DeVry in Pomona, California and got hired to work for Hewlett Packard right out of school. HP moved me to Seattle and I loved working there.

My degree is in CIS but as it turned out I did not feel I learned enough about programming to be a programmer. I excelled more in database design and applications. I have an art background and love working with designing business processes. I went on to excel in business management. DeVry is great for giving you an overall business education.

Those students that were good learners took what we studied and beyond and became great programmers. I had a very in depth discussion about it one day with one of my professors and friend of mine who was top of our class seemly without effort. Our professor said “DeVry will teach you enough to make you dangerous, but the real education is what you take home with you to continue your studies in the areas that interest you.

My friend and I both graduated with honors, his much higher then mine because he is bloody brilliant. He went out to work as a programmer for a good company, and I went on to work as a CE for HP in Enterprise support services. He and I did our senior projects …

I appreciate very much the support you all provide to us home users. I find this very interesting and want to learn to interpret the logs to help others fix their computers too.

It’s a bit scary, because I don’t want to make a check on an item that needs to be there. As well, I don’t want to leave something that needs to be fixed.

It will take time before I trust myself to interpret the logs on my own. Until then it seems every few days I hear of another person in my community having problems with these same issues. I wonder what’s going on... has the virus pushers found new ways to bypass Norton and other antivirus programs, or has all this been around since the beginning, and I’ve only become aware of it recently?

I am just like anyone else feeling secure with my Norton updates and Ad-aware. But I found so much crapware running on my two home systems and one I thought was completely clean. It seems that if I run CWShreadder on any computer I will find a Trojan even if the owner has been following all the basic known precautions. It’s obviously not enough anymore. Maybe with all the spyware detecting programs becoming more of a routine the crapware pushers are finding more cleaver ways of polluting our systems. I don’t know.

I will post the updated HJT log after completing the fixes.

Your support is greatly appreciated.

My sister just returned from London on vacation. I have waited to run these fixes to get her verification before making any major changes to her computer.

We now have the changes and I have showed her the HJT logs. I will post the updated log once we get a chance to run the fixs.

Thank you for your help and support on this one.

and this one for good and bad LPS's=010's in the log
http://www.angeltowns.com/members/zupe/lsps.html

What does the term "LPS's" mean?

This is my sister's old home business computer. P200, Win98, 256 mb ram.
It would make a good boat anchor.

I knew it was having problems so I told her I would try to help. I ran CWShreadder three times in safe mode and found 2 Trogans. CWS now says its clean.

Ran updated Ad-ware and found only 12 issues. Also Ran Spybot which fix several issues.

The following is a the HJT log: :lol: Your feedback is grealty appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 10:05:29 PM, on 6/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\TECH LOG FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchalot.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = nov
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = nov
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = nov
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = nov
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = nov
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = nov
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = nov
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O4 - HKLM\..\Run: …

There is still weird things going on in this computer.
Shortcuts on the desk top have been duplcating in groups of 6 or more. I ran Adware 6 again and found one more item.

Ran dllfix

Here is the log output file:

--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST           @@@***==--


07/06/2004
19:20


System Info:


Microsoft Windows XP [Version 5.1.2600]
C: "PRESARIO" (EC73:7C94) - FS:NTFS clusters:4k
Total: 115 866 128 384 [108G] - Free: 100 091 215 872 [93G]



*IE version and Service packs:
6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0  C:\WINDOWS\system32\notepad.exe
5.1.2600.0  C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4490  C:\Program Files\Windows Media Player\wmplayer.exe


! REG.EXE VERSION 2.0


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion    REG_SZ  ;SP1;Q813489;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167;


Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\MSXML3A.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSXML3A.DLL +++ File read error



Scanning for main Hijacker:



REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
@="MyWebSearch Search Assistant BHO"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}]
@="mwsBar BHO"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13F537F0-AF09-11d6-9029-0002B31F9E59}]
@="Yahoo! Companion BHO"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD60B590A87D}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FB534E3-67CB-4307-AE0A-9E8B5581BE2C}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]


REGEDIT4


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"



! REG.EXE VERSION 2.0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls    REG_SZ


*Security settings for 'Windows' …

There is no search button it will just say YES or NO.
when you are checking a CWS,you don't put in the HTTP//www.
just this part .[couldnotfind.com] and the NO will change to a Yes

I will try this when I get home. Working at my sister's house today trying to fix her kid's computer.... :(

Yuck what a mess! Even the keys in the keyboard stick together.

You can just go here to access the domains directly too.

http://users.skynet.be/bk136527/CWS/CWSdomains.htm

Hey, thankx for the suggestion...

Is there any tutorials that explains this link and how to use it?

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

run cwshredder again but run it in safe maode and then post a new hijack log

Ok: :lol:
1). Ran undated Ad-aware 6 (80 items fixed)
2). Ran Spybot w/ 76 problems identified fixed. When Spybot was working its fix, several messages popped up saying applications or DLLs failed to start because (path) file could not be found.... etc.
3). Ran CWShreadder in safe mode, it said the scan was "completely clean".
4). I was able to download Dllfix.exe (I think it was failing because I was logged in w/o administrator permissions) but I haven't run it yet.
5). I rescaned using HJT and the following is the log:

Logfile of HijackThis v1.97.7
Scan saved at 17:36:48, on 07/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msCMTSrvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
…

Working on my sister's kid's computer.
Compact Presario AMD Athlon XP 2600+ 2.13 GHz w/ 512Mb Ram
Win XP Home w/sp1

First thing on boot was the Bridge.dll not found message.

Went to download dllfix.exe from the link on Daniweb http://tools.zerosrelm.com/dllfix.exe but it wont work.

Each time I hit this link the browser locks up..... Weird

I found another link from another site but the same thing happens.

I ran CWShreadder from disk and found CWS.jksearch and 1 infected IE Registry value, which it said it fixed. Rebooted

Still can download dllfix.exe same deal with locking up. :rolleyes:

Ran Hijackthis utility the following is the log:
Logfile of HijackThis v1.97.7
Scan saved at 12:05:46, on 07/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\hjllkqqx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\oslagp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\windows\msbb.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Guest\Desktop\tech tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar …

:o Ok I made a screen shot of the CWShreader using the " ,/debug not " switch, but I don’t know how to imbed it into this reply.

Help.... anyone?

I tried this and it worked as far as to bring up a different aspect of CWShreadder. I can see where to past the line but there is no button to execute the search.

It looks like this:
[IMG][IMG]C:\cwshreader.jpg[/img][/IMG]

If you have CWShredder install on you computer ,create a shortcut to it on you sesktop ,right click it and go to properties.in the target line add this , /debug not there is a space between whats there and the /,
now when you click on the short cut you created you use shredder as a tool to search CWS ,like this .R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_..._id=138308.From that line you copy and past this into the shredder tool.
couldnotfind.com ,and it will tell you if is or isn't CWS.

I was wondering if you would be willing to share the tools you use to interpret the HijackThis logs? I have the Task List from www.answeresthatwork.com and it great to see what’s running, but how is it that you know the names of all the processes out there and the right ones to delete using the HJT tool? You must have some kind of list that is undated daily.

For Example, I was advised to remove this line using the HJT tool:
O2 - BHO: (no name) - {221E8D90-C439-4297-B84A-EA3291D7CB1A} - C:\WINNT\system32\ebnel.dll (file missing)

What about this line gives you the clues? No name, ebnel.dll, or “file missing?

I have Dreamweaver 4 and Dreamweaver Ultra Developer. I think DW4 is newer, but which one would you suggest I start with. I went through some of the D4 tutorials and it seems easy enough. Just takes time.

I love Photoshop too, use it all the time!

I will look at Fireworks depending on the costs.

I have good design skills and want to create web pages but I dont want to do web development or programming.

There is so much out there and so much of it is complicated. I want to keep it real simple. I have Dreamweaver but not a lot of time to learn how to use it. :o

I know basic HTML but it's too slow. I use the PageBuilder utility in Geocities but its too limited. I want to upload to my space on my ISP and would like to use a nice simple GUI tool.

UPDATE:

Being proactive I read ahead and ran CWShreader which found The Coolweb Trojan lurking in my Windows Media player's exe file. --Can we say"ELIMINATED"!

After that, I went to Microsoft.com and was finally able to run all the updates we couldn’t update before!! Yeah! :mrgreen:

Then, feeling like riding on a wave of success, I was able to get the Norton virus definitions to finally update!!!!

I am now running Stinger 2.2.7 and Norton at the same time.

I have to say it feels good to be this far into solution when its been a long hard road to fixing these issues.

I cant be more grateful :D

:o I am planning to change out the monitor cables. If that doesn't work I will be planning my purchase of a new monitor, in the near future.

Thank you all for the suggestions and the endless work done for others at this site.

Please close out this thread.

Crunchie: :lol:

I very much appreciate the help you have given me and to others. I have learned a lot by reading the threads at the daniweb site, and working this problem through.

I hope this works; here is the latest HJT log after completing your instructions. Let me know if there is more.

TY, TY, TY!

Logfile of HijackThis v1.97.7
Scan saved at 3:13:15 PM, on 6/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Saved from Reload\Downloads C\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet …

I am sure that will work...
Thank you RJ for your suggestion.

Consider this problem solved and close the thread.

To everyone who provides assistance on this forum, I am very impressed with your willingness to help others.

Its fun and educational to read through the work being done here. :cool:

:-| I went into the bios and could not find anything in the menus regarding a sensor for the case; I thought it was a good idea too. I looked up the Award web site for FAQ but there are none.

I think a good solution would be to flash my bios and give it an upgrade. I am sure that would fix it and give lastest features as well.

I have flashed bios before on other AT machaines I am sure it will work fine. It is what I would do on to clear CMOS on netserver.

I will let you know how it goes.

:rolleyes: Ooh yes, I forgot to mention, I did run DLLFIX opt 2, then reinstalled Adware6 (again dont know why it was gone), updated it, then scaned. It found some nasties...

The following is the DLLFIX output log:

CWSDLL/Searchx Appinit Fix By Shadowwar
Version 2.01 053104
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Wed 06/02/2004
10:55a

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully

Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Deleting Filter text
Running from C:\Documents and Settings\Kam\Desktop\Desktop\DLL Fix\dllfix
Scanning For main hijacker.
Found Main Hijacker Dll:C:\WINNT\System32\EBNEL.DLL
Md5 tested As 0758CF635DF08AC381962F74832B6484
MD5 Matched known Baddie
Deleting Hijacker Dll: C:\WINNT\System32\EBNEL.DLL
Succesfully Deleted
Scanning For main hijacker.
Scanning for Hidden Dll in system32 1st pass
File was not found on first Pass.

Scanning for Hidden Dll in system32 2nd pass
File found was: C:\WINNT\System32\RES.DLL

Md5 Check of C:\WINNT\System32\RES.DLL

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249
Md5 matched known baddies.
Processing and Deleting File.
File was successfully Deleted.

Adding Back Windows Key

The …

After I ran HJT, I check the ABOUT:BLANK line and fixed it.

Here is the the latest HJT showing that line:

Logfile of HijackThis v1.97.7
Scan saved at 11:27:01 AM, on 6/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\window.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Saved from Reload\Downloads C\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ebnel.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {221E8D90-C439-4297-B84A-EA3291D7CB1A} - C:\WINNT\system32\ebnel.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - …

I have a KDS monitor, about 4 years old. Works well except it sometimes changes color tone. A white page may look a little yellow and changes back to looking whiter. I checked all the cables, for cuts and tightness.

Any suggestions would be helpful.

Somewhere in your BIOS setup menus there will be a setting for "Case Alarm" or similar. If you disable the setting, you'll no longer get the message.

Including details of the make/model of your motherboard, or the make/model of your PC if it's a 'name-brand' one, will help us to determine clearer details of how to correct it.

System Information report written at: 06/01/2004 01:02:11 PM
[System Summary]

Item Value
OS Name Microsoft Windows 2000 Professional
Version 5.0.2195 Service Pack 4 Build 2195
OS Manufacturer Microsoft Corporation
System Name TEST
System Manufacturer Seanix Technology (Canada) Inc.
System Model TCO
System Type X86-based PC
Processor x86 Family 6 Model 7 Stepping 3 Genuine Intel ~448 Mhz
BIOS Version Award Modular BIOS v4.51PG
Windows Directory C:\WINNT
System Directory C:\WINNT\system32
Boot Device Device\Harddisk0\Partition1
Locale United States
User Name TEST\test1
Time Zone Pacific Daylight Time
Total Physical Memory 261,616 KB
Available Physical Memory 86,928 KB
Total Virtual Memory 891,124 KB
Available Virtual Memory 536,660 KB
Page File Space 629,508 KB
Page File C:\pagefile.sys

Okay here it is....

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==-- 
--==***@@@ ORIGINAL BY FREEATLAST           @@@***==-- 

Tue 06/01/2004 
12:40p

System Info: 

Microsoft Windows 2000 [Version 5.00.2195]
C: "KAMRON" (0C58:18E6) - FS:FAT clusters:8k
Total: 13 558 415 360 [13G] - Free: 8 634 073 088 [8.0G]


 *IE version and Service packs: 
             6.0.2800.1106  C:\Program Files\Internet Explorer\Iexplore.exe
 *Notepad version : 
                5.0.2140.1  C:\WINNT\system32\notepad.exe
                5.0.2140.1  C:\WINNT\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion    REG_SZ  ;SP1;Q824145;Q330994;



Locked or 'Suspect' file(s) found... 
\\?\C:\WINNT\System32\INETRES.DLL +++ File read error
\\?\C:\WINNT\System32\INETRES.DLL +++ File read error


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{021BB032-80A8-4FB6-B3D5-CF27B1553B95}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls    REG_SZ  

*Security settings for 'Windows' key: 


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read         BUILTIN\Users
(IO)    ALLOW  Read         BUILTIN\Users
(NI)    ALLOW  Read         BUILTIN\Power Users
(IO)    ALLOW  Read         BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators
(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI) …

This HJT log is from my son's computer. He has "About:Blank" issues. Can not run windows updates, and his system is very slow even when not running anything. I run the Norton Live Update but it doesnt show it installed. Not sure if the virus scan is actually scanning.

Home built PIII-500, Ram:256, Win2k SP4, but needs updates.

Please tell me what to delete:

Logfile of HijackThis v1.97.7
Scan saved at 8:14:10 PM, on 5/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\atiptaxx.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
D:\Saved from Reload\Downloads C\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\kipeea.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINNT\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - …

My secondary HDD recently failed and I was working inside my system case.

Now all is back to normal but I get a "Your system case has been opened - Press F1 to continue" message at boot up.

I don’t see any clear CMOS features in my bios. I've tried up plugging the system from power but don't know how to clear this CMOS message from the boot sequence.

Give me a netserver and I can fix this problem...
Home PC's, well I don’t work on them enough to know if they can clear CMOS or not.

Win2k, SP4. P3-450

nose -----> eyes