Another friends infected pc for me to try and sort out :)

Could someone please cast thir eye over this hijack this log? I have already found the Netsky d virus and something called 'werule'. What other nasties have they got??

Logfile of HijackThis v1.97.7
Scan saved at 22:52:46, on 30/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\CCJV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\ACCESSORIES\MSPAINT.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sonystyle-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ukonline.co.uk
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHECKIT] C:\Program Files\Sony\CheckIt\CheckIt.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\tart Page = http://www.sonystyle-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ukonline.co.uk
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHECKIT] C:\Program Files\Sony\CheckIt\CheckIt.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunOnce: [ssd] ccjv.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: ggo.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .do;jsessionid=0000PA0YKYE02A2ZADOH1VE3LQA:umo7eh8n: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk

 

I am no expert, but the only one that stands out is O4-ccjv.exe and the reason it stands out is that there is nothing about it on www.google.com.
So now you know one way of determining what may be a baddie! www.google.com.
Another way is to go a site such as
http://www.answersthatwork.com/Tasklist_pages/tasklist_p.htm
I have no idea what the O9 entries are.
And I might question that O14 item for ukonline, but if your friend's home page and search page are what he wants, then it probably is OK.
You may be interested in a tutorial on HiJackThis
http://hjt.wizardsofwebsites.com/
Have you also run a virus scan on the PC with latest virus definitions? And Spyware Detector scans with latest reference files
AdAware
http://www.lavasoft.de/support/download/
or
SpybotS&D
http://www.safer-networking.org/

 

HAve managed to run adaware and spybot and they found loads of nasties

I want to run a antivirus on it but everytime I visit one of the online sites I'm told that active x is disabled. I check the security settings and its not! If I try and change the security settings down to low...the laptop will hang for about 10 minutes....then the settings are back to medium again! Any ideas?? By the way its a horrible Sony Vaio PIII with 64mb ram and running Me (another nasty imho )

 

Your log file is broken up. Scan again and fix these.

O4 - HKLM\..\RunOnce: [ssd] ccjv.exe
O4 - Startup: ggo.exe

Boot to safe mode and find those 2 files, then delete and empty recycle bin. Reboot to Windows and visit Windows Update. After installing needed critical updates and service packs (don't accept the IPv6 Networking update), try another online scan. eTrust in my signature.
RAV
Housecall
Post another HJT log. To properly copy and paste log, use the edit button when it opens in notepad after saving log, to 'select all', then again to copy.

 

Pondlife Hi

Put hijackthis in a new folder , for instance C:\Anti Spyware or in your my documents,, this is important becouse it creates backups, if in a temp folder they will or might be deleted in time.
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
================^^^^ this looks as if your running it from inside a ziped file, thats also not a good idea. dont run anything from inside a zipped file.
Or it is unzipped but you have your zip program set to unzip automaticly,, thats not a good idea either becouse you would always want to scan anything you download before unziping, and again after unzipping.

If you dont know for sure download the exe version found here.
http://radiosplace.com/

If you have restarted the PC since running Adaware and Spybot Post a fresh log but this time copy paste exactly as is, it appears you edited/rearanged the last one

what told you of Netsky d 'werule' ?
werule is winpopup and Adaware and SpyBot will usualy catch it.

 

Dave - why get rid of ggo.exe?

http://panda-igs.joyjoy.net/java/gGo/faq/index.html#d0e29

 

Because it is ggo.exe, not gGo.exe or GGO.exe

From help screen link here.

 

when winpopup is running there will be a strage proccess or two in the lower part of the proccess uses filenames that are 6-8 digits long, and are random characters.
There maybe two Run items (but they arent usualy in a startup folder)
there is not always a startup for this guy either, just a proccess.
then when cleaning up (check the properties or the files)
they will be they will be 4-8 <random> characters
right click on the file in the context menu choose properties then version tab
Highlight > "Internal Name" if it says > pupdate.exe ,werule or winpup,mde,
(Totempole or werock) etc etc etc,,
better to be safe and ask the users in this case about that file

 

Heres another log taken this morning -->
Logfile of HijackThis v1.97.7
Scan saved at 09:56:39, on 01/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\SPYWARE\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ukonline.co.uk
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHECKIT] C:\Program Files\Sony\CheckIt\CheckIt.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\ReOBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CHECKIT] C:\Program Files\Sony\CheckIt\CheckIt.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .do;jsessionid=0000PA0YKYE02A2ZADOH1VE3LQA:umo7eh8n: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk
O15 - Trusted Zone: http://uk.trendmicro-europe.com

I know it had the netsky and wrule items as i checked the msconfig, start up tab and saw them in there I've removed both of them using stingers I found on the web. I also found Bugbear as a bouns

I've downloaded AVG and updated it and run it, it found netsky a dialer and bugbear again and quarantined them.

I still can't run any online virus checker tho as everytime i try to to I get windowsstore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .do;jsessionid=0000PA0YKYE02A2ZADOH1VE3LQA:umo7eh8n: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ukonline.co.uk
O15 - Trusted Zone: http://uk.trendmicro-europe.com

I know it had the netsky and wrule items as i checked the msconfig, start up tab and saw them in there I've removed both of them using stingers I found on the web. I also found Bugbear as a bouns

I've downloaded AVG and updated it and run it, it found netsky a dialer and bugbear again and quarantined them.

I still can't run any online virus checker tho as everytime i try to to I get windows warning saying active x items are not allowed to run, and I've enabled them all in security settings and even set the settings to low...and still I cant run any of them! Any clues as to why??

 

Hi Pondlife

Would you please post another new log
this time in two replies, one for the proccess's one for the rest, thanks.

 

noahdfear--Very interesting about ggo.exe. I just assumed it was part of a Go game. I do not believe that Windows (or the Registry) differentiates case. So I suspect the issue is what directory ggo.exe is in.
The HJT scans do not show ggo.exe as a running process (which is strange since HJT says it is in Startup or Autoloading), so we are not given directory info. I suspect the "bad" ggo.exe is in C:\Windows\System32 rather than C:\Windows\System.
Guess no one knows about ccjv.exe yet.

 

Sorry for the delay in the reply (public holiday weekend, family stuff to do )

Heres another log taken this morning...

Logfile of HijackThis v1.97.7
Scan saved at 09:26:14, on 04/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\SPYWARE\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .do;jsessionid=0000PA0YKYE02A2ZADOH1VE3LQA:umo7eh8n: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://uk.trendmicro-europe.com


Anything need removing now?

Also, this Active X issue. Anyone know how to get round it? I saw in another forum on here that someone had the same problem...but noone had a solution

 

Bump

Its just I have to get this machine back to its owner by 2morrow and it would be nice to fix the active x problem. I have tried some ideas from another thread about a site that tests ActiveX and trying to use Panda online virus scanner...the Activex site said it wasnt activated and to check the security settings, the Panda site is having problems loading I've removed spybot and adaware (thinking they might be blocking something) but its still saying my security settings are too high (and they're not). The solutions I've seen are reinstalling the op system, and the silly owner hasnt got a restore disk or any of the disks at all...and I'd rather not reinstall an op system this late in the day.

Please help!

 

Pondlife--Re ActiveX, not a solution but a work around (and a test to see if ActiveX is really the problem). Put the site(s) where you are having problems into IE Tools|Internet Options|Security tab|Trusted Sites. Hopefully these sites will not give you all sorts of bad BHO's (Browser Helper Objects, such as shown in O2 of the HiJackThis log).
BTW--There are good and bad BHO's, so their presence, per se, is not bad. And you could just delete all of them, since they will be recreated when needed as you visit sites that require them. In Win98 they are found in C:\WINDOWS\Downloaded Program Files . That might uncover a damaged one which is causing the problem.

 

I have to aggree with Jim

I wonder how they managed to use windows update since that requires and active x control. ??

Have you set security levels to default ? and the same for advanced
Once done on the advanced page uncheck both(if there are two)
[ ]install on demand's
[ ]display a message about ever script error
[ ] reuse windows for launching shortcuts

Please do reinstall them

MDM.EXE

probaly not needed

 

Gents,

Have tried the safe website route...didnt make any difference.

There are updates installed because I downloaded them on my pc from Windows catalog then burnt the exes to cd and installed them individually

The security settings are set to their lowest and still the message appears. I've found these 2 links with possible solutions...

http://www.windowsbbs.com/showthread.php?t=24433&highlight=Repairing+activex

http://www.google.co.uk/search?q=ca...ergeeks/12-2002/msg00015.html+iuctl.dll&hl=en

And neither of them worked. Have reinstalled flash and shockwave, reinstalled IE (AGAIN! ) have removed the folder/files suggested...no deal

As you can see from the first link the lady in question had no help from M$ themselves so I think I may have to reside myself to telling my friend...this is as good as it gets unless u let me rebuild it..and that will involve memory and cash

Thanks for helping this far though.

If you can think of anything else I have until mid day tomorrow (UK time)

 

Do they work? Test here and here. Did you uninstall the old one first?
Flash Player 6 Uninstaller

Flash Player 7 Uninstaller

Close all browsers before running.
Try using the standalone installer after first using one or both of these uninstallers.

There are no 016 DPF entries in your log. Have you checked the folder to verify that it's empty? Is it in the Windows folder? Does it open from IE tools>IE options>General>TIF settings>view objects?

 

Well gave him back the laptop and explained it might not work quite right on some sites. He was happy enough as the laptop wouldn't even sart when he gave it to me

Yep flash and shock both worked and yep that folder was completely empty.

Really is a puzzler this issue as a lot of people have it and their onpy solution so far to date (and it seems to have been around for a while) is to format and reinstall.

Thanks once again for all your help

 

Pondlife,

This is NOT an Active X issue!

Check the 'Hosts' file. The worm adds lines to the %System%\drivers\etc\hosts file. So, that any attempts to connect to those Web sites fail.

Delete the lines that were added to the Windows Hosts file.

ski123

 

Hosts file was clear, and even adding online virus checking sites url to trusted sites didn't work.