1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Cannot run Registry Editor or MSCONFIG

Discussion in 'Virus & Other Malware Removal' started by sapphire2, Sep 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    Hello,
    I am unable to run regedit or msconfig. I checked through the threads and noticed that "amkar" posted the same kind of problem (on Sep 8th). I am running under Windows ME. I have deleted the temp internet files/cookies and history in IE. I then ran a manual scan of my PC-Cillin antivirus. I then updated files in SpyBot 1.3. I then followed the advice of "mobo" to "amkar" about Ad-Aware.
    I emptied the Recycle Bin and rebooted into Safe mode and ran the following: SpyBot, Adaware, CWShredder and CCleaner. I cleaned up whatever objects they found. I then ran Hijackthis and saved the log. I was hoping someone here could take a look at the log file and inform me how to proceed from here.
    I will gladly post the log to this thread when requested.

    Thanks
     
  2. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    I forgot to mention that I had System Restore disabled.
     
  3. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    Here is the Hijackthis log:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:03:08 PM, on 9/10/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\MY DOWNLOADS\SPYWARE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www4.fosters.com/index.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL
    O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\PROGRAM FILES\MYQUICKSEARCH\BAR\1.BIN\MQSBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: My &Quick Search - {0E677229-E309-4341-81BD-3CC3018BF5B3} - C:\PROGRAM FILES\MYQUICKSEARCH\BAR\1.BIN\MQSBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [winbas12] C:\PROGRAM FILES\WINBAS12.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [AOL Instent Messenger] WNHFRYRS.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [NetMDSB] C:\PROGRAM FILES\SONY\MD SIMPLE BURNER\NETMDSB.EXE -start
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
    O4 - HKCU\..\RunServices: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [AOL Instent Messenger] WNHFRYRS.EXE
    O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
    O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.1.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: vsaccess.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4028.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
     
  4. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    The problem that I was mentioning that was similar to mine was in the Security thread.
    Would one of the moderators please move this question to that thread please. Sorry I posted under wrong thread (I have been lookin through so many different threads trying to find if someone else was having the same problem I was).

    Thanks
     
  5. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    When I run regedit the window comes up for about 1 second then disappears. When I run MSCONFIG nothing happens.
     
  6. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    Hello - Is anyone reading this thread? I haven't heard a word from anyone yet.
     
  7. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Hi sapphire2

    Lets begin bvy rescanning once again with hijack then insert a check next to each of the following then close all browser windows and click "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O2 - BHO: mqsBar BHO - {0E677221-E309-4341-81BD-3CC3018BF5B3} - C:\PROGRAM FILES\MYQUICKSEARCH\BAR\1.BIN\MQSBAR.DLL

    O3 - Toolbar: My &Quick Search - {0E677229-E309-4341-81BD-3CC3018BF5B3} - C:\PROGRAM FILES\MYQUICKSEARCH\BAR\1.BIN\MQSBAR.DLL

    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\Run: [winbas12] C:\PROGRAM FILES\WINBAS12.exe

    O4 - HKLM\..\Run: [AOL Instent Messenger] WNHFRYRS.EXE

    O4 - HKCU\..\RunOnce: [AOL Instent Messenger] WNHFRYRS.EXE

    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab

    Download Adaware Se from http://www.lavasoftusa.com/support/download/
    In Ad-aware click the Gear to go to the Settings area.
    The following items should be on a green check, not on a red X.
    Under the Scanning button:Scan within archives
    Under Memory & Registry, Check EVERYTHING
    In Check Drives & Folders, make sure all of your hard drives are selected
    Under the Advanced button, Check
    Move deleted files to recycle bin
    Include additional object information
    Include negligible object information
    Include environment information
    Under the defaults button Set the homepage you wish to have set as default.
    Under the tweak button
    Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

    In Scanning Engine:Unload recognized processes during scanning
    Include info about ignored objects in logfile, if detected in scan
    Include basic Ad-aware settings in logfile
    Include additional Ad-aware settings in logfile
    Include used command line parameters in logfile
    In Cleaning Engine: XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
    Let Windows remove files in use at next reboot
    UNCHECK: Automatically try to unregister objects prior to deletion
    Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom
    _______________________________________________________________
    Then reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


    Open windows explorer, find then delete:
    C:\PROGRAM FILES\WINBAS12.exe
    C:\PROGRAM FILES\MYQUICKSEARCH
    C:\WINDOWS\Updreg.exe


    Reboot, rescan with hijack then post an updated logfile please.
     
  8. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    Thanks mobo - I will do this on my pc tonight when I get home
     
  9. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Sure thing
     
  10. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    I did as suggested. Here is the latest log:


    Logfile of HijackThis v1.98.2
    Scan saved at 9:05:21 PM, on 9/13/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WNHFRYRS.EXE
    C:\OPLIMIT\OCRAWARE.EXE
    C:\OPLIMIT\OCRAWR32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\MY DOWNLOADS\SPYWARE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www4.fosters.com/index.asp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AOL Instent Messenger] WNHFRYRS.EXE
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [NetMDSB] C:\PROGRAM FILES\SONY\MD SIMPLE BURNER\NETMDSB.EXE -start
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [AOL Instent Messenger] WNHFRYRS.EXE
    O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
    O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.1.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: vsaccess.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4028.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
     
  11. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    I notice that
    O4 - HKCU\..\RunOnce: [AOL Instent Messenger] WNHFRYRS.EXE
    is still there :(
     
  12. J-Son

    J-Son

    Joined:
    Sep 13, 2004
    Messages:
    65
    you have so much junk its not funny
    O4 - HKLM\..\Run: [AOL Instent Messenger] WNHFRYRS.EXE
    O4 - HKCU\..\RunOnce: [AOL Instent Messenger] WNHFRYRS.EXE
    get rid of them they'll probably pop back so delete them manually and if cant use this program called cleanerxp to get rid of it http://www.sniip3r.com
     
  13. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    Yes I know I have alot of junk. I wasn't aware of MSCONFIG until about 1 week ago.
    When I tried to run it to stop all these programs from starting up I found I couldn't run
    it. Neither could I run regedit anymore. Hence this thread.

    I have been deleting programs through Add/Remove. I just added the Google toolbar
    (heard it is supposed to help stop with alot of the popups). I have done a webupdate
    for SpyBot and Adaware and ran them (not finding anything more these days). Also ran CWShredder and got latest CCleaner. Fixed whatever those found.

    Here is the latest Hijackthis log:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:03:31 PM, on 9/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\SVA PLAYER\SVAPLAYER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\OPLIMIT\OCRAWARE.EXE
    C:\OPLIMIT\OCRAWR32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\MY DOWNLOADS\SPYWARE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www4.fosters.com/index.asp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [COMSMDEXE] comsmd.exe -off
    O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [NetMDSB] C:\PROGRAM FILES\SONY\MD SIMPLE BURNER\NETMDSB.EXE -start
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
    O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
    O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.1.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: vsaccess.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab


    I also went to BitDefenders site and ran their free virus scan utility. It reported this:

    Memory ok
    Master Boot Record 80 ok (Windows 95 B20 - Windows 98)
    Partition Boot 1 (primary) (active) ok (Win95 OSR2, Win98 FAT32)
    C:\WINDOWS\SYSTEM\Clifford Uninstall.exe infected: Win95.CIH.Rest.Gen
    C:\WINDOWS\SYSTEM\Clifford Uninstall.exe disinfected
    C:\WINDOWS\SYSTEM\Clifford Uninstall.exe unable to disinfect
    C:\WINDOWS\SYSTEM\jmyhndrX.dll infected: Trojan.Downloader.Rameh.B
    C:\WINDOWS\SYSTEM\jmyhndrX.dll disinfected
    C:\WINDOWS\SYSTEM\jmyhndrX.dll unable to disinfect
    C:\WINDOWS\SYSTEM\wnhfryrs.exe=>(PECompact 2.34) infected: Win32.P2P.SpyBot.Gen
    C:\WINDOWS\SYSTEM\wnhfryrs.exe=>(PECompact 2.34) unable to disinfect
    C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe infected: Application.Adware.PowerReg.3.0
    C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe unable to disinfect
    C:\WINDOWS\Profiles\Alex\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe infected: Application.Adware.PowerReg.3.0
    C:\WINDOWS\Profiles\Alex\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe unable to disinfect
    C:\Install.exe=>(RAR Sfx o)=>YEA.REG infected: Trojan.WinREG.LowZones.A
    C:\install5.exe=>(RAR Sfx o)=>YEA.REG infected: Trojan.WinREG.LowZones.A


    My Trend Micro PC-cillin anti-virus real time scan detected the YEA.REG trojan and
    quarantined it.

    1) Do I just need to boot into SAFE mode and delete:
    Clifford Uninstall.exe, jmyhndrX.dll, wnhfryrs.exe and PowerReg Scheduler V3.exe ???
    2) Can I just delete the quarantined trojan file YEA.REG?
    3) I am running Windows ME with a user logon screen (son uses his own logon name).
    Do I need to be running anything under his logon too or will all these changes I'm
    doing take care of problems no matter who is logged on?

    Frustrated !!! I need to get MSCONFIG running to take care of all this unnecesary startup stuff.
     
  14. sapphire2

    sapphire2 Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    16
    Hello,

    Could one of the "Distinguished Members" please help. This thread seems to keep
    falling through the cracks (I realize that there are few "Distinguished Members"
    compared to the amount of problems people are having with their machines).
     
  15. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Sapphire, I just received your Private Message (PM), so I'm jumping in...not that Mobo's not doing an excellent job. :)

    If the files are "uncleanable" or not able to be quarantined, delete the files.

    Restart and post another HJT log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272777

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice