new hjt user & page faults

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
Not sure if this is the right section for this. I'm having a problem with IE6 that's driving me mad.
It's that bloody page fault in user.exe and some various dll's.
I've done the deselect inline options/deltree history command in dos mode/reselect inline options.
I've done a repair on ie and rebooted.
I've done the spybot search and atm I'm down to Backweb: lite, CoolWWWSearch, eacceleration, and IGetNet, all of which I have no clue what to do with.
I downloaded hijackthis to see if maybe it's something else causing these damn illegal op's, I just don't know how to read the logs. 0.o

Here's the log:
(and yes I'm terribly aware lockdown 2k is a giant p.o.s, and need an update of software)

Logfile of HijackThis v1.97.2
Scan saved at 10:35:39 AM, on 9/15/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ANTIVIRUS\LOCKDOWN\LOCKDOWN2000.EXE
C:\WINDOWS\LOADQM.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
C:\EFDTOP\DTLOADER.EXE
C:\MY DOCUMENTS\DESKTOP\DICONS\DICONS.EXE
C:\EFDTOP\WINXSERVER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GCR Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&s=search&query=%s&i=enu
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [LockDown2000] C:\ANTIVIRUS\LOCKDOWN\lockdown2000.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe -I
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EDLoader.lnk = C:\EfDtop\DTLoader.exe
O4 - Startup: Shortcut to Dicons.exe.lnk = C:\My Documents\Desktop\Dicons\Dicons.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.7609837963
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/GrlNt0i.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 
Joined
Oct 9, 2001
Messages
9,396
you have a lop.com hijack that needs removing.

run hijackthis again and put a checkmark against these entries....
.....then,close all browser and outlook windows and "fix checked"


- HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...earch&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GCR Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/...ry=%s&i=enu
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
http://www.netpaloffers.net/NetpalO...MO1/GrlNt0i.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

re-boot and delete:
C\Program Files\ClearSearch

oh!............and you can do the spybot scan as e-liam sugests bellow;)
 
Joined
Jun 19, 2003
Messages
1,241
Hi Sinsation, and welcome to TSG.. :)

Please run a new HJT! log, and "check to fix" the following entries. Next close all browser windows, and click Fix.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jethomepage.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)

O2 - BHO: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)

O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

O3 - Toolbar: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)

O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...meInstaller.exe

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalO...MO1/GrlNt0i.cab


Then if you could reboot and delete the following bolded files/folders..

C:\Program Files\ClearSearch

Then reboot. (Tedious but vital) :(

Then if you could download Spybot - Search & Destroy, from www.tomcoyote.org/spybot : if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

Next, reboot (yet again) :) and post a new HJT! log, just for the final once over..

Cheers

Liam
 
Joined
Jun 19, 2003
Messages
1,241
Ooops, I missed a couple Steve. :(

Just to explain my reasons... and then you can tell me why I was wrong. This is how I learn, and today Sinsation gets to be the Guinea Pig.. :D

The entries I missed....

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...earch&i=enu

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/...ry=%s&i=enu

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GCR Online

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net



The two presario entries, I thought were the defaults for Compaq, and I don't usually worry about the title bar (admittedly, I've got X-Setup, and can change it anytime I want) :)

The 017 entry, i left, as it looked like the genuine DSL connection for AOL, judging by the ProDsl software, already installed.

Don't get me wrong, :) I'm not questioning your analysis, Steve, you've been doing this far longer than I. I just want to get my reasoning straight for the next logs.. (y) :)

Make it simple as well.. I was daft enough to spill tea over my keyboard and had to go and by a new one this evening. :eek: So I'm obviously beyond help anyway. :D:D
 
Joined
Oct 9, 2001
Messages
9,396
with all the clearsearch garbage i just thought a clean out would be better. and as for the 017:

O17 - Lop.com domain hijacks

What it looks like:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

taken from here

and i think we are all beyond help at times:D
 
Joined
Jun 19, 2003
Messages
1,241
Cheers for explaining that Steve, (y) :)

BTW, I got a Labtec Internet keyboard for £13 from Tesco's to replace the drowned one, and although I haven't tried all the multimedia widgets yet, it seems pretty good peice of kit. The selling point was the Spill Resistant Design, (y) although I'm not rushing to try that particular feature out just yet. :D

Cheers again..

Liam
 
Joined
Oct 9, 2001
Messages
9,396
i paid £17 for my samsung cordless K/B and mouse.
it said "faulty" on the box and i dont use the mouse cos ive a logitec cordless optical.
but the K/B works a treat.

bargains bargains bargains:D
 

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
Thank you. I'll try all of this (providing following 3 different "check these" posts doesn't baffle me).

Although as suggested above to download/run spybot, I did this yesterday as I originally stated. The only one's I left un-fixed were:
Backweb:lite - adware/spyware
CoolWWWSearch - no info
eacceleration - threat field was blank
IGetNet - Malware/Hijacker

Also as stated previously, I left these 'cause I have no clue which one's need fixing and which should be placed in exclude.
 
Joined
Oct 9, 2001
Messages
9,396
Backweb:lite - adware/spyware
CoolWWWSearch - no info
eacceleration - threat field was blank
IGetNet - Malware/Hijacker
all should be nuked....whatever spybot finds is ok to delete.
;)
 

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
Ok, new log:

Logfile of HijackThis v1.97.2
Scan saved at 1:07:12 PM, on 9/15/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ANTIVIRUS\LOCKDOWN\LOCKDOWN2000.EXE
C:\WINDOWS\LOADQM.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\EFDTOP\DTLOADER.EXE
C:\MY DOCUMENTS\DESKTOP\DICONS\DICONS.EXE
C:\EFDTOP\WINXSERVER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [LockDown2000] C:\ANTIVIRUS\LOCKDOWN\lockdown2000.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe -I
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: EDLoader.lnk = C:\EfDtop\DTLoader.exe
O4 - Startup: Shortcut to Dicons.exe.lnk = C:\My Documents\Desktop\Dicons\Dicons.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.7609837963
 
Joined
Jun 19, 2003
Messages
1,241
That's looking fine Sinsation.. (y)

All you need to do now is go to Start | Settings | Control Panel | Internet Options and reset your web settings. This will give you MSs default home page and search page, neither of which anyone uses, but you can set the home page to anything you want, anyway.

Cheers

Liam
 

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
Hey, I noticed in a previous thread that if not all startup options are set to execute on bootup the hjt fixing could be missing something, well I set all to execute, reboot, uninstalled stuff I don't use anymore and reboot again.. here is the stuff I have enabled on startup (some stuff with comments are things that I don't know what they are or other probs with them).

Startup:
aim
c:\programs\aim\aim.exe -cnetwait.odl

scanregistry
c:\windows\scanregw.exe /autorun

taskmonitor
c:\windows\taskmon.exe

systemtray
systray.exe

loadpowerprofile
rundll32.exe powrprof.dll,loadcurrentpwrscheme

prodsl
c:\windows\prodsl.exe /p

lockdown2000
c:\antivirus\lockdown\lockdown2000.exe

loadqm
loadqm.exe

em_exec
c:\mouse\system\em_exec.exe

keymaestro
c:\kmaestro\kmaestro.exe
// my keyboard

stillimagemonitor
c:\windows\system\stimon.exe
// scanner

compaq internet setup
c:\compaq\internet\inetwizard.exe /run

cisrvr program
c:\compaq\internet\cisrvr.exe

service connection
c:\cpqs\bwtools\bwtray.exe
// backweb? I spyware-fixed this earlier today. =/

avconsoleexe
c:\program files\network associates\mcafee virusscan\avconsol.exe /minimize
// how can I get rid of mcafee? it's not in my add/remove

vsecomrexe
c:\program files\network associates\mcafee virusscan\vsecomr.exe

vsstatexe
c:\program files\network associates\mcafee virusscan\vstat.exe /showwarning

mcafeewebscanx
c:\program files\network associates\mcafee virusscan\webscanx.exe

cpqeasyacc
c:\program files\compaq\easy access button support\cpqeadm.exe
// do I need this button support seeing as I don't have the orig. compaq keyboard?

eaclean
c:\program files\compaq\easy access button support\eaclean.exe

vshwin32exe
c:\program files\network associates\mcafee virusscan\vshwin32.exe

adaptec directcd
c:\zipcd\directcd.exe

sp
regedit -s c:\windows\sp.dll
// wtf is this? there's no sp.dll in my windows dir - also get error at startup "cannot import sp.dll: error opening the file. There may be a disk or file system error.

verve
c:\my documents\desktop\verve\verve.exe
// I don't even have this anymore. 0.o

quick time task
c:\windows\system\qttask.exe

simple dns plus

exciteplatform
c:\progra~1\excite\platforum\exlaunce.exe
// I uninstalled/deleted this eons ago.. why's it still here?

createcd
c:\zipcd\easycd~1\createcd\createcd.exe -r

cpqdfwag
c:\windows\cpqdiag\cpqdfwag.exe -l

loadpowerprofile
rundll32.exe powrprof.dll,loadcurrentpwrscheme
// why's this here twice?

mcafeewebscanx
c:\program files\network associates\mcafee virusscan\webscanx.exe /runservices

schedulingagent
mstask.exe

vshwin32exe
c:\program files\network associates\mcafee virusscan\vshwin32.exe
// oi vey

edloader
c:\efdtop\dtloader.exe
// multiple dtop goodie mgmt

shortcut to dicons.exe
c:\mydocu~1\desktop\dicons\dicons.exe
//dtop icons font color

backweb
c:\cpqs\bwtools\bwtray.exe
// again?

america online 8.0 tray icon
c:\progra~1\americ~1.0\aoltray.exe

iomega startup options
c:\zipdisk\tools\imgstart.exe

iomegaware
c:\zipdisk\iomega~1\comman~1.exe

iomega disk icons
c:\zipdisk\tools\imgicon.exe

quiksync
c:\zipdisk\quiksync\quiksync.exe

iomega backup scheduler
c:\zipdisk\iomega~2\dtiom98.exe

gstartup
c:\progra~1\common~1\gmt\gmt.exe
// wtf is this? it's no longer in the folder it says it is, it was something that I deleted with spybot I believe
Here's my new HJT log after doing all of this:
Logfile of HijackThis v1.97.2
Scan saved at 4:08:43 PM, on 9/15/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ANTIVIRUS\LOCKDOWN\LOCKDOWN2000.EXE
C:\WINDOWS\LOADQM.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\ZIPCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMS\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\EFDTOP\DTLOADER.EXE
C:\MY DOCUMENTS\DESKTOP\DICONS\DICONS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\ZIPDISK\TOOLS\IMGICON.EXE
C:\EFDTOP\WINXSERVER.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [LockDown2000] C:\ANTIVIRUS\LOCKDOWN\lockdown2000.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] c:\ZIPCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.dll
O4 - HKLM\..\Run: [Verve] C:\MY DOCUMENTS\DESKTOP\VERVE\VERVE.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe
O4 - HKLM\..\Run: [CreateCD] C:\ZIPCD\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe -I
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAMS\AIM\aim.exe -cnetwait.odl
O4 - Startup: EDLoader.lnk = C:\EfDtop\DTLoader.exe
O4 - Startup: Shortcut to Dicons.exe.lnk = C:\My Documents\Desktop\Dicons\Dicons.exe
O4 - Startup: BackWeb.lnk = C:\CPQS\BWTools\BWTray.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Iomega Startup Options.lnk = C:\ZipDisk\Tools\IMGSTART.EXE
O4 - Startup: IomegaWare.lnk = C:\ZipDisk\Iomegaware\COMMANDER.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\ZipDisk\Tools\IMGICON.EXE
O4 - Startup: QuikSync.lnk = C:\ZipDisk\QuikSync\QUIKSYNC.EXE
O4 - Startup: Iomega Backup Scheduler.lnk = C:\ZipDisk\Iomega Backup\dtiom98.exe
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.7609837963
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Combining the unwanted stuff in startup and the new log, is there anything else that needs to be taken care of?

Thanks in advance.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top