remove items from msconfig

I had some spyware on my system that started up via enteries in MSCONFIG. I unchecked them so they won't start, and I deleted the associated files, but how do I completely remove the spyware entries from MSCONFIG?

Thanks,

Richard

 

Check this thread.

 

The best way to clean up spyware is with detection/removal programs that will get all their entries, such as Spybot and Ad-aware. If you already have them, make sure they are the current build and updated reference files. If you don't, download, install, immediately update and run both, deleting all they find. Links in my sig.

 

I tried the link to the other thread. It basically has you edit the registry. I did as directed, but the unchecked items still show up in MSCONFIG. I tried doing a "Find" in regedit on one of the unchecked items that still appear in MSCONFIG, and I don't find it. Why are the unchecked items still there?

 

Probably hidden under codes, regcleaner would clean that up (I think).

noahdfear is right, download AdAware and SpyBot Search & Destroy to get rid of spyware.

 

assuming you did install, update and run both SpyBot and adaware and let them fix whatever they found and have restarted the PC.

And the empty run entries are still there.
start msconfig undue anything youve changed since the problem started, exit msconfig , and dont yet allow the pc to restart then
get hijackthis and post its log.

Heres the speil.

Post a log from HijackThis so our forum members can see
what's going on.The current version is 1.97.7 [created by merijn bellekom]

Get it here http://radiosplace.com/
choose save, NOT OPEN
Save it to a PERMANANT folder,(for example C:\Anti Spyware) double-click HijackThis.exe,
and hit "Scan ". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, load it in Notepad, and copy its contents here.
Most of what it lists will be harmless, even essential,DON'T fix anything yet please. Also If you've used it before please dont have anything excluded

 

OK, I ran Spybot Search & Destroy. I have Registry FIrst Aid (I assume that is similar to Regcleaner). Anyway, I ran that. It found all lot of stuff, but I didn't have it fix anything but the few nasty things I was aware of. I ran hijackthis BEFORE going into MSCONFIG, and rechecking the nasty items, then again AFTER checking off those items. I made logfiles for both runs. I also diff'd them (I have Cygwin, so I can do that). I'm going to place the "diff" file in here first (so you can see what I am most concerned about, and what I want to get rid of out of MSCONFIG... basically the strangely named .exe files), then the "BEFORE" logfile, and finally the "AFTER" logfile.

Thanks for your help.

(Shucks, there is a posting size limit. OK, I'll post the "diff" here, and the "BEFORE" logfile and the "AFTER" logfile in two subequent posts)

Here's the 'diff' of the two logfiles:

2c2
< Scan saved at 2:23:06 PM, on 4/16/04
---
> Scan saved at 2:57:44 PM, on 4/16/04
29d28
< C:\PROGRAM FILES\RFA\REG1AID.EXE
32c31
< C:\WINDOWS\SYSTEM\MSCONFIG.EXE
---
> C:\PROGRAM FILES\RFA\REG1AID.EXE
86a86,123
> O4 - Startup: I7CHMT02.lnk = C:\WINDOWS\i7chmt02.exe
> O4 - Startup: 01MN02AH.lnk = C:\WINDOWS\01mn02ah.exe
> O4 - Startup: FN0M085V.lnk = C:\WINDOWS\fn0m085v.exe
> O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
> O4 - Startup: UKNBJZXZ.lnk = C:\WINDOWS\uknbjzxz.exe
> O4 - Startup: CLIEOK2E.lnk = C:\WINDOWS\clieok2e.exe
> O4 - Startup: 7D1D3JN6.lnk = C:\WINDOWS\7d1d3jn6.exe
> O4 - Startup: ZY00RQGL.lnk = C:\WINDOWS\zy00rqgl.exe
> O4 - Startup: GWU0J8EW.lnk = C:\WINDOWS\gwu0j8ew.exe
> O4 - Startup: 4NXCK6VQ.lnk = C:\WINDOWS\4nxck6vq.exe
> O4 - Startup: LCYQ7TFN.lnk = C:\WINDOWS\lcyq7tfn.exe
> O4 - Startup: B5K3J9F3.lnk = C:\WINDOWS\b5k3j9f3.exe
> O4 - Startup: 11R8EG9D.lnk = C:\WINDOWS\11r8eg9d.exe
> O4 - Startup: D3U3G04V.lnk = C:\WINDOWS\d3u3g04v.exe
> O4 - Startup: 81C4X127.lnk = C:\WINDOWS\81c4x127.exe
> O4 - Startup: WRET1INP.lnk = C:\WINDOWS\wret1inp.exe
> O4 - Startup: KKU47226.lnk = C:\WINDOWS\kku47226.exe
> O4 - Startup: 72YXYA0W.lnk = C:\WINDOWS\72yxya0w.exe
> O4 - Startup: RBQ3XP6N.lnk = C:\WINDOWS\rbq3xp6n.exe
> O4 - Global Startup: 01MN02AH.lnk = C:\WINDOWS\01mn02ah.exe
> O4 - Global Startup: FN0M085V.lnk = C:\WINDOWS\fn0m085v.exe
> O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
> O4 - Global Startup: I7CHMT02.lnk = C:\WINDOWS\i7chmt02.exe
> O4 - Global Startup: UKNBJZXZ.lnk = C:\WINDOWS\uknbjzxz.exe
> O4 - Global Startup: CLIEOK2E.lnk = C:\WINDOWS\clieok2e.exe
> O4 - Global Startup: 7D1D3JN6.lnk = C:\WINDOWS\7d1d3jn6.exe
> O4 - Global Startup: ZY00RQGL.lnk = C:\WINDOWS\zy00rqgl.exe
> O4 - Global Startup: GWU0J8EW.lnk = C:\WINDOWS\gwu0j8ew.exe
> O4 - Global Startup: 4NXCK6VQ.lnk = C:\WINDOWS\4nxck6vq.exe
> O4 - Global Startup: LCYQ7TFN.lnk = C:\WINDOWS\lcyq7tfn.exe
> O4 - Global Startup: B5K3J9F3.lnk = C:\WINDOWS\b5k3j9f3.exe
> O4 - Global Startup: 11R8EG9D.lnk = C:\WINDOWS\11r8eg9d.exe
> O4 - Global Startup: D3U3G04V.lnk = C:\WINDOWS\d3u3g04v.exe
> O4 - Global Startup: WRET1INP.lnk = C:\WINDOWS\wret1inp.exe
> O4 - Global Startup: 81C4X127.lnk = C:\WINDOWS\81c4x127.exe
> O4 - Global Startup: KKU47226.lnk = C:\WINDOWS\kku47226.exe
> O4 - Global Startup: 72YXYA0W.lnk = C:\WINDOWS\72yxya0w.exe
> O4 - Global Startup: RBQ3XP6N.lnk = C:\WINDOWS\rbq3xp6n.exe


logfiles to follow in next 2 posts.....

 

...here's the "BEFORE" logfile:

Here's the "BEFORE" (before I rechecked the items in MSCONFIG) logfile:
I hope you dont mind Im going to edit this out since there is no need for an before log

 

Here's the "AFTER" (after I rechecked the items in MSCONFIG) logfile:

Logfile of HijackThis v1.97.7
Scan saved at 2:57:44 PM, on 4/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\RFA\REG1AID.EXE
C:\__SHARED\HIJACK_THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.truthout.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref( "browser.cache.directory ", "C:\\WINDOWS\\Application Data\\Mozilla\\Profiles\\default\\xvr8qeo9.slt\\Cache ");
user_pref( "browser.history.last_page_visited ", "http://truthout.org/docs_03/050603C.shtml ");
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage_override.1 ", false);
user_pref( "intl.charsetmenu.browser.cache ", "windows-1252, us-ascii ");
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "signon.SignonFileName ", "97900217.s ");
user_pref( "startup.homepage_override_url ", "http://home.netscape.com/bookmark/6_1/startuppage.html ");
user_pref( "timebomb.first_launch_time ", "997823721500000 ");
user_pref( "wallet.SchemaValueFileName ", "52964405.w ");
user_pref( "browser.helperApps.neverAsk.openFile ", "application%2Fx-java-jnlp-file ");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\xvr8qeo9.slt\prefs.js)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [rfagent] C:\PROGRAM FILES\RFA\rfagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks "
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\Program Files\Norton Internet Security\ccPxySvc.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O4 - Startup: I7CHMT02.lnk = C:\WINDOWS\i7chmt02.exe
O4 - Startup: 01MN02AH.lnk = C:\WINDOWS\01mn02ah.exe
O4 - Startup: FN0M085V.lnk = C:\WINDOWS\fn0m085v.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: UKNBJZXZ.lnk = C:\WINDOWS\uknbjzxz.exe
O4 - Startup: CLIEOK2E.lnk = C:\WINDOWS\clieok2e.exe
O4 - Startup: 7D1D3JN6.lnk = C:\WINDOWS\7d1d3jn6.exe
O4 - Startup: ZY00RQGL.lnk = C:\WINDOWS\zy00rqgl.exe
O4 - Startup: GWU0J8EW.lnk = C:\WINDOWS\gwu0j8ew.exe
O4 - Startup: 4NXCK6VQ.lnk = C:\WINDOWS\4nxck6vq.exe
O4 - Startup: LCYQ7TFN.lnk = C:\WINDOWS\lcyq7tfn.exe
O4 - Startup: B5K3J9F3.lnk = C:\WINDOWS\b5k3j9f3.exe
O4 - Startup: 11R8EG9D.lnk = C:\WINDOWS\11r8eg9d.exe
O4 - Startup: D3U3G04V.lnk = C:\WINDOWS\d3u3g04v.exe
O4 - Startup: 81C4X127.lnk = C:\WINDOWS\81c4x127.exe
O4 - Startup: WRET1INP.lnk = C:\WINDOWS\wret1inp.exe
O4 - Startup: KKU47226.lnk = C:\WINDOWS\kku47226.exe
O4 - Startup: 72YXYA0W.lnk = C:\WINDOWS\72yxya0w.exe
O4 - Startup: RBQ3XP6N.lnk = C:\WINDOWS\rbq3xp6n.exe
O4 - Global Startup: 01MN02AH.lnk = C:\WINDOWS\01mn02ah.exe
O4 - Global Startup: FN0M085V.lnk = C:\WINDOWS\fn0m085v.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: I7CHMT02.lnk = C:\WINDOWS\i7chmt02.exe
O4 - Global Startup: UKNBJZXZ.lnk = C:\WINDOWS\uknbjzxz.exe
O4 - Global Startup: CLIEOK2E.lnk = C:\WINDOWS\clieok2e.exe
O4 - Global Startup: 7D1D3JN6.lnk = C:\WINDOWS\7d1d3jn6.exe
O4 - Global Startup: ZY00RQGL.lnk = C:\WINDOWS\zy00rqgl.exe
O4 - Global Startup: GWU0J8EW.lnk = C:\WINDOWS\gwu0j8ew.exe
O4 - Global Startup: 4NXCK6VQ.lnk = C:\WINDOWS\4nxck6vq.exe
O4 - Global Startup: LCYQ7TFN.lnk = C:\WINDOWS\lcyq7tfn.exe
O4 - Global Startup: B5K3J9F3.lnk = C:\WINDOWS\b5k3j9f3.exe
O4 - Global Startup: 11R8EG9D.lnk = C:\WINDOWS\11r8eg9d.exe
O4 - Global Startup: D3U3G04V.lnk = C:\WINDOWS\d3u3g04v.exe
O4 - Global Startup: WRET1INP.lnk = C:\WINDOWS\wret1inp.exe
O4 - Global Startup: 81C4X127.lnk = C:\WINDOWS\81c4x127.exe
O4 - Global Startup: KKU47226.lnk = C:\WINDOWS\kku47226.exe
O4 - Global Startup: 72YXYA0W.lnk = C:\WINDOWS\72yxya0w.exe
O4 - Global Startup: RBQ3XP6N.lnk = C:\WINDOWS\rbq3xp6n.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: ChatSpace Java Client 2.1.0.89 - http://soapcity.chatspace.com/Java/cs4ms089.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37995.8654976852
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/124a40f913c0928dba01/netzip/RdxIE601.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = G_AND_R
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

 

have you ran Adaware yet ?
well I'll handlt this as if you still havre an infection,, not sure where we stand at the moment.In the future it might be best to seek help first.

You have an Adtomi Adware infection, which requires special attention.
You might want to print this out, if you have any questions feel free to ask.
Download the file relevant to your OS.
for 98 or ME http://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip
for XP http://www.wilderssecurity.com/attachments/XPAdtomi_Cleanup.zip

Then follow these instructions.

First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

Unzip it to C:\Windows\ (this will be a folder called "9xAdtomi Cleanup" leave it be for now)

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry)

(skip this step)Next, press CTRL+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
and there might also be morze1.exe running, if so end that process as well

If you don't have any strange named exe files running,Open spybot in advanved mode then tools > proccess page and Kill (end task) on that file "I dont see it in this log "
IF you can't stop it running, then DO NOT CONTINUE, please ask for more help first

Now locate and right click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )right click drag to an empty space in the same folder and choose create shortcut,
double click that shortcut then close all folders<< very importan and Internet explorer to

***Do not Touch the VBS files. The bat file will run the scripts.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply.

Moving thread to security area

 

OK, I downloded and ran the Adtomi.exe cleanup script. It ran the Hijackthis afterwards, but I did not see any instructions about removing anything. Here is the Adtomi.txt file (the Hijackthis logfile from the run of Hijackthis after rebooting following in the posting right after this one.

Thanks.

***************** Adtomi.txt:
4/19/04 2:34:47 PM
No Smaller Files Found

4/19/04 2:34:49 PM
No Larger Files Found

4/19/04 2:34:51 PM
No Third Files Found



Volume in drive C is GINA
Volume Serial Number is 404E-7CD3
Directory of C:\WINDOWS

CONTROL EXE 2,112 04-23-99 10:22p CONTROL.EXE
WINHELP EXE 2,416 04-23-99 10:22p WINHELP.EXE
WINVER EXE 3,648 04-23-99 10:22p WINVER.EXE
SCANDSKW EXE 4,896 04-23-99 10:22p SCANDSKW.EXE
RUNDLL EXE 4,960 04-23-99 10:22p RUNDLL.EXE
HH EXE 10,752 06-10-02 12:56p hh.exe
PROTMAN EXE 14,952 04-23-99 10:22p PROTMAN.EXE
CHARMAP EXE 17,440 04-23-99 10:22p CHARMAP.EXE
SETVER EXE 18,939 01-04-01 9:56p SETVER.EXE
PBRUSH EXE 20,480 04-23-99 10:22p PBRUSH.EXE
WRITE EXE 20,480 04-23-99 10:22p WRITE.EXE
TRACERT EXE 20,480 04-23-99 10:22p TRACERT.EXE
DICT2 EXE 20,480 04-14-04 11:51p dict2.exe
RUNDLL32 EXE 24,576 04-23-99 10:22p RUNDLL32.EXE
PING EXE 24,576 04-23-99 10:22p PING.EXE
DICTCO~1 EXE 24,576 04-14-04 11:51p DictComp3s.exe
JAVA EXE 24,677 02-20-03 4:42p java.exe
WINPOPUP EXE 27,600 05-10-99 5:23p WINPOPUP.EXE
TASKMON EXE 28,672 04-23-99 10:22p TASKMON.EXE
ARP EXE 28,672 04-23-99 10:22p ARP.EXE
UNSTALL EXE 28,672 04-14-04 11:51p unstall.exe
JAVAW EXE 28,775 02-20-03 4:42p javaw.exe
MM2ENT EXE 32,768 04-23-99 10:22p MM2ENT.EXE
NETSTAT EXE 32,768 04-23-99 10:22p NETSTAT.EXE
ROUTE EXE 32,768 04-23-99 10:22p ROUTE.EXE
PREINSTT EXE 32,768 02-11-04 9:30a PREINSTT.EXE
IEUNINST EXE 33,792 03-03-03 9:24a ieuninst.exe
UNISTB32 EXE 34,304 03-12-98 10:02p UNISTB32.EXE
NBTSTAT EXE 34,543 04-23-99 10:22p NBTSTAT.EXE
OPTIMIZE EXE 36,352 04-14-04 11:51p optimize.exe
ACCSTAT EXE 36,864 04-23-99 10:22p ACCSTAT.EXE
QFECHECK EXE 36,864 07-27-98 2:48p QFECHECK.EXE
GRPCONV EXE 38,160 08-29-02 12:00a GRPCONV.EXE
PIDSET EXE 40,960 04-23-99 10:22p PIDSET.EXE
RG2CATDB EXE 40,960 04-23-99 10:22p RG2CATDB.EXE
REGTLIB EXE 40,960 08-31-99 4:55p REGTLIB.EXE
WININIT EXE 41,973 04-23-99 10:22p WININIT.EXE
VCMUI EXE 45,056 04-23-99 10:22p VCMUI.EXE
MSNCREAT EXE 45,056 04-23-99 10:22p MSNCREAT.EXE
FTP EXE 45,056 04-23-99 10:22p FTP.EXE
SMARTDRV EXE 45,379 04-23-99 10:22p SMARTDRV.EXE
SETDEBUG EXE 46,352 02-28-03 6:26p SETDEBUG.EXE
TWUNK_16 EXE 48,560 04-23-99 10:22p TWUNK_16.EXE
FONTVIEW EXE 49,152 04-23-99 10:22p FONTVIEW.EXE
TASKMAN EXE 49,152 04-23-99 10:22p TASKMAN.EXE
CLSPACK EXE 49,424 02-28-03 6:26p CLSPACK.EXE
NOTEPAD EXE 53,248 04-23-99 10:22p NOTEPAD.EXE
IPCONFIG EXE 53,248 04-23-99 10:22p IPCONFIG.EXE
WINIPCFG EXE 53,248 04-23-99 10:22p WINIPCFG.EXE
AOLCINUN EXE 53,248 01-10-02 9:32p AolCInUn.exe
NETDDE EXE 56,880 04-23-99 10:22p NETDDE.EXE
UPWIZUN EXE 57,344 04-23-99 10:22p UPWIZUN.EXE
WUPDMGR EXE 57,344 04-23-99 10:22p WUPDMGR.EXE
ASD EXE 61,440 04-23-99 10:22p ASD.EXE
MSNMGSR1 EXE 65,536 04-23-99 10:22p MSNMGSR1.EXE
PUP EXE 65,536 02-26-04 4:17p pup.exe
DIALER EXE 68,992 04-23-99 10:22p DIALER.EXE
SNDVOL32 EXE 69,632 04-23-99 10:22p SNDVOL32.EXE
SYS_AI~1 EXE 69,632 04-14-04 11:51p sys_ai_client_loader.exe
CVTAPLOG EXE 77,824 04-23-99 10:22p CVTAPLOG.EXE
PACKAGER EXE 77,824 04-23-99 10:22p PACKAGER.EXE
TELNET EXE 77,824 04-23-99 10:22p TELNET.EXE
SYSMON EXE 81,920 04-23-99 10:22p SYSMON.EXE
SCANREGW EXE 86,016 04-23-99 10:22p SCANREGW.EXE
N6UNINST EXE 87,776 08-14-01 2:01p N6Uninst.exe
DOSREP EXE 89,147 04-23-99 10:22p DOSREP.EXE
TWUNK_32 EXE 90,112 04-23-99 10:22p TWUNK_32.EXE
CALC EXE 94,208 04-23-99 10:22p CALC.EXE
HWINFO EXE 110,592 04-23-99 10:22p HWINFO.EXE
TUNEUP EXE 110,592 04-23-99 10:22p TUNEUP.EXE
SNDREC32 EXE 110,592 04-23-99 10:22p SNDREC32.EXE
PROGMAN EXE 113,456 04-23-99 10:22p PROGMAN.EXE
CVT1 EXE 114,688 04-23-99 10:22p CVT1.EXE
KODAKPRV EXE 114,688 04-23-99 10:22p KODAKPRV.EXE
REGEDIT EXE 118,784 04-23-99 10:22p REGEDIT.EXE
WSCRIPT EXE 118,834 02-03-03 12:56a WSCRIPT.EXE
A3DSPLSH EXE 122,880 08-05-98 6:10p A3DSPLSH.EXE
EMM386 EXE 125,495 04-23-99 10:22p EMM386.EXE
SIGVERIF EXE 131,072 04-23-99 10:22p SIGVERIF.EXE
CLEANMGR EXE 131,072 04-23-99 10:22p CLEANMGR.EXE
EXTRAC32 EXE 132,608 08-29-02 12:00a EXTRAC32.EXE
DRWATSON EXE 139,264 04-23-99 10:22p DRWATSON.EXE
PP40UN EXE 140,800 08-28-98 3:35p pp40un.exe
AST_4_MM EXE 152,149 04-14-04 11:51p ast_4_mm.exe
WINFILE EXE 155,424 04-23-99 10:22p WINFILE.EXE
MPLAYER EXE 159,744 04-23-99 10:22p MPLAYER.EXE
WJVIEW EXE 171,792 02-28-03 6:26p WJVIEW.EXE
JVIEW EXE 172,304 02-28-03 6:26p JVIEW.EXE
EXPLORER EXE 180,224 04-23-99 10:22p EXPLORER.EXE
TOUR98 EXE 188,416 04-23-99 10:22p TOUR98.EXE
AU30TRAY EXE 201,728 08-24-98 10:29p AU30TRAY.EXE
IUN3401 EXE 209,920 08-29-01 9:43p iun3401.exe
AOLUNINS EXE 231,913 08-15-03 3:17p Aolunins.exe
AOLUNI~1 EXE 231,913 08-15-03 3:17p Aolunins_us.exe
DEFRAG EXE 253,952 04-23-99 10:22p DEFRAG.EXE
AU30SETP EXE 261,120 08-24-98 10:28p AU30SETP.EXE
DEINST32 EXE 274,432 12-31-01 4:05p DEINST32.EXE
WELCOME EXE 278,528 04-23-99 10:22p WELCOME.EXE
AU30CPL EXE 285,184 08-24-98 10:29p AU30CPL.EXE
UNINST EXE 298,496 08-28-98 3:35p uninst.exe
ISUNINST EXE 306,688 07-22-99 6:14p IsUninst.exe
WINHLP32 EXE 319,488 04-23-99 10:22p WINHLP32.EXE
NET EXE 356,134 05-10-99 5:23p NET.EXE
DRVSPACE EXE 404,880 04-23-99 10:22p DRVSPACE.EXE
WINREP EXE 438,272 04-23-99 10:22p WINREP.EXE
KODAKIMG EXE 528,384 04-23-99 10:22p KODAKIMG.EXE
106 file(s) 10,817,303 bytes
0 dir(s) 1,365,055,488 bytes free



************ Hijackthis.log follows in next posting...

 

************ Hijackthis.log:

Logfile of HijackThis v1.97.7
Scan saved at 2:47:15 PM, on 4/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\__SHARED\HIJACK_THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.truthout.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref( "browser.cache.directory ", "C:\\WINDOWS\\Application Data\\Mozilla\\Profiles\\default\\xvr8qeo9.slt\\Cache ");
user_pref( "browser.history.last_page_visited ", "http://truthout.org/docs_03/050603C.shtml ");
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage_override.1 ", false);
user_pref( "intl.charsetmenu.browser.cache ", "windows-1252, us-ascii ");
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "signon.SignonFileName ", "97900217.s ");
user_pref( "startup.homepage_override_url ", "http://home.netscape.com/bookmark/6_1/startuppage.html ");
user_pref( "timebomb.first_launch_time ", "997823721500000 ");
user_pref( "wallet.SchemaValueFileName ", "52964405.w ");
user_pref( "browser.helperApps.neverAsk.openFile ", "application%2Fx-java-jnlp-file ");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\xvr8qeo9.slt\prefs.js)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [rfagent] C:\PROGRAM FILES\RFA\rfagent.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks "
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\Program Files\Norton Internet Security\ccPxySvc.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: ChatSpace Java Client 2.1.0.89 - http://soapcity.chatspace.com/Java/cs4ms089.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37995.8654976852
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/124a40f913c0928dba01/netzip/RdxIE601.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = G_AND_R
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

 

Make sure you have the current build of Ad-Aware (6.181), update it, configure per my instructions here and scan. You can quarantine for now anything found. Reboot and post another HJT log.

 

Great ^^ thats why I wanted you to run it
that and it cleaned up the all the stray lnk's

After running Adaware if these still show fix them
we/I recommend fixing the MyWay Search Assistant, so if you choose to keep it disregard its entries below. I vote fix, simply becouse it get's installed on most PC's without asking.

Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders)
that show in the taskbar. Then Hit fix selected

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/124a40f...ip/RdxIE601.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/roing.cab
=====

No run items so rebooting isn't nessesary this time

Uninstall any funweb products via addremove programs.
'My Search Bar' 'MyWay Speed Bar' "Myway toolbar" anything Myway
then delete these folders if still there
C:\PROGRAM FILES\LYCOS
C:\PROGRAM FILES\MYWAY

surf a bit then post a fresh log

 

OK, I ran Ad-aware, and had it quarantine and remove all of the objects it found. Then, I ran HJT, and had it fix the items you said to check. I tried to remove (via add/remove programs) My Search Bar, but I got an error message that some .dll file could not be found, so it could remove it. Should still go ahead and delete those LYCOS and MYWAY folders?

Here's the latest HJT logfile (after I ran the fixes):

Logfile of HijackThis v1.97.7
Scan saved at 6:02:38 PM, on 4/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\__SHARED\HIJACK_THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.truthout.org/
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref( "browser.cache.directory ", "C:\\WINDOWS\\Application Data\\Mozilla\\Profiles\\default\\xvr8qeo9.slt\\Cache ");
user_pref( "browser.history.last_page_visited ", "http://truthout.org/docs_03/050603C.shtml ");
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage_override.1 ", false);
user_pref( "intl.charsetmenu.browser.cache ", "windows-1252, us-ascii ");
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "signon.SignonFileName ", "97900217.s ");
user_pref( "startup.homepage_override_url ", "http://home.netscape.com/bookmark/6_1/startuppage.html ");
user_pref( "timebomb.first_launch_time ", "997823721500000 ");
user_pref( "wallet.SchemaValueFileName ", "52964405.w ");
user_pref( "browser.helperApps.neverAsk.openFile ", "application%2Fx-java-jnlp-file ");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\xvr8qeo9.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [rfagent] C:\PROGRAM FILES\RFA\rfagent.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks "
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\Program Files\Norton Internet Security\ccPxySvc.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSM32.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: ChatSpace Java Client 2.1.0.89 - http://soapcity.chatspace.com/Java/cs4ms089.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37995.8654976852
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = G_AND_R
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

 

Yes, remove those folders and cleanup with Registry First Aid. May need more than 1 run. Log looks good now.

 

Well, I think there is still at least one problem.

You ask me to "surf some ". Well, I have, and I have noticed something that I seen before. My IE window is split. The portion of the window at the bottom is about 5/8" high. When I start up IE I would expect it to go to my (actually my wife's) website. I could have sworn I used to see "finding site www.truthout.org" at the bottom of the IE window. Now, it says finding site "realguide.real.com ", and then goes to the default site. Right now, that bottom portion of the IE window has Real One Player stuff in it, and there is an "X" at the extreme left. If I click the "X ", that split portion of the IE window goes away, but then I can't reach ANY website. If I reboot, and don't "click away" that bottom portion of the IE window, I can surf OK, but this seems to be "not a good thing ".

 

Ahh yes, real player. I usually advise removing the startup entries and BHO's but for some reason figured you were aware of it and OK with it. My mistake for assuming. Scan again and fix these;

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O9 - Extra button: Real.com (HKLM)

Reboot and all should be well again.

 

OK, before I do that, let me just be clear about what will happen. That will not completely remove Real Player (because I think my wife uses it*), but just remove that crappy thing from IE?

Also, BHO?, HKLM?, etc. I am not familiar with those terms.


*I think there is an internet "radio station" that has previously recorded programs that she listens to, and it seems to require Real Player (a .RAM file gets downloaded--it's not obvious that that is what happens, but I know that it does that)

 

BHO
HKLM.....HKEY_LOCAL_MACHINE section of the registry.

The 04 entry is on a run key, meaning real player starts when you logon to windows. The 09 is an extra button on the browser that when clicked, should take you to real.com. Fixing these will not uninstall real player nor affect it's use. It will still open and run when you click on a file that requires real player. If you continue to have the same actions while surfing, post another log.