Yes I know I have alot of junk. I wasn't aware of MSCONFIG until about 1 week ago.
When I tried to run it to stop all these programs from starting up I found I couldn't run
it. Neither could I run regedit anymore. Hence this thread.
I have been deleting programs through Add/Remove. I just added the Google toolbar
(heard it is supposed to help stop with alot of the popups). I have done a webupdate
for SpyBot and Adaware and ran them (not finding anything more these days). Also ran CWShredder and got latest CCleaner. Fixed whatever those found.
Here is the latest Hijackthis log:
Logfile of HijackThis v1.98.2
Scan saved at 10:03:31 PM, on 9/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\MY DOWNLOADS\SPYWARE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www4.fosters.com/index.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [NetMDSB] C:\PROGRAM FILES\SONY\MD SIMPLE BURNER\NETMDSB.EXE -start
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: vsaccess.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/potd_x.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
http://www.bitdefender.com/scan/Msie/bitdefender.cab
I also went to BitDefenders site and ran their free virus scan utility. It reported this:
Memory ok
Master Boot Record 80 ok (Windows 95 B20 - Windows 98)
Partition Boot 1 (primary) (active) ok (Win95 OSR2, Win98 FAT32)
C:\WINDOWS\SYSTEM\Clifford Uninstall.exe infected: Win95.CIH.Rest.Gen
C:\WINDOWS\SYSTEM\Clifford Uninstall.exe disinfected
C:\WINDOWS\SYSTEM\Clifford Uninstall.exe unable to disinfect
C:\WINDOWS\SYSTEM\jmyhndrX.dll infected: Trojan.Downloader.Rameh.B
C:\WINDOWS\SYSTEM\jmyhndrX.dll disinfected
C:\WINDOWS\SYSTEM\jmyhndrX.dll unable to disinfect
C:\WINDOWS\SYSTEM\wnhfryrs.exe=>(PECompact 2.34) infected: Win32.P2P.SpyBot.Gen
C:\WINDOWS\SYSTEM\wnhfryrs.exe=>(PECompact 2.34) unable to disinfect
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe infected: Application.Adware.PowerReg.3.0
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe unable to disinfect
C:\WINDOWS\Profiles\Alex\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe infected: Application.Adware.PowerReg.3.0
C:\WINDOWS\Profiles\Alex\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe unable to disinfect
C:\Install.exe=>(RAR Sfx o)=>YEA.REG infected: Trojan.WinREG.LowZones.A
C:\install5.exe=>(RAR Sfx o)=>YEA.REG infected: Trojan.WinREG.LowZones.A
My Trend Micro PC-cillin anti-virus real time scan detected the YEA.REG trojan and
quarantined it.
1) Do I just need to boot into SAFE mode and delete:
Clifford Uninstall.exe, jmyhndrX.dll, wnhfryrs.exe and PowerReg Scheduler V3.exe ???
2) Can I just delete the quarantined trojan file YEA.REG?
3) I am running Windows ME with a user logon screen (son uses his own logon name).
Do I need to be running anything under his logon too or will all these changes I'm
doing take care of problems no matter who is logged on?
Frustrated !!! I need to get MSCONFIG running to take care of all this unnecesary startup stuff.
