Computer Nightmare - HJT log posted

Computer Nightmare

Edit by PeteC - HJT log posted

A year ago, i was growing sick of my IBM 98 SE computer. It had trouble booting, shutting down, standby/wake up, and simply ground to a halt. i finally gave up on it and bought a new computer as it was time for an upgrade.

Within a few weeks, I dug it out of a closet and tried to troubleshoot it again. At first I got no where, but then I browsed the internet on my new computer for utilities and advice. (thank god that I have a 2nd computer to fall back on) I finally got it stabilized, with McAfee 2005, spybot, and a whole lot of program start up tweaks.

Now, it can run much better, but it still get the BSOD a lot. And without msconfig tweaks, it couldn't boot without crashing. there seem to still be traces of BonziBuddy, Gain, Gator, Random Hijackers (about:blank), some trojans, date Manager, Hotbar, hunt bar, Ezula. (just about everything as I used to be one of the people who clicked yes no matter what).

Does anybody know any performance tweaks that could make it somewhat usuable?

Also, my floppy drive is non-functional and this concerns me as many emergency boot files need floppies. the little LED on it never lights up but windows says it's functional.

(old computer)
AMD K-6 (435 MHz)
64MB RAM
10 GB HDD
Windows 98 SE
non-Functioning Diskette drive

(does anyone think that this hardware is enough for Me?)

(PS: McAfee Virus Scan 2005 seems to hog a lot of system resources. it seems to be using 50-80 of my new computer and bringing my old one to a standstill)

(new Computer)

P4 2.66 GHz
512 MB RAM
120 HDD
Windows Xp SP2
CD-RW
DVD-ROM
NVIDIA geForce4 MX 440 agp 8x

 

I would reformat and reinstall windows on your old machine. It sounds like a lot of spyware/viruses are on the hard drive and ,to me, it's easier to format and reinstall the OS.

 

Dave,

I would have to agree with Chuck. If you have the disks needed to reload, I would do that. Wipe everything clean and start new. A bit more memory might help also. As far as an antivirus program, you may want to try AVG.

Mike

 

I've tried AVG, but I was worried that it's free version was second rate so I got McAfee for 25 bucks at Costco's. But it's taking a lot of system resources, so I might revert back to AVG. I really still do have some stuff on the small HDD. the only backup options I have are, 100 MB Zip Disks, Network Acess to my new computer's CD writer, a 256 MB pocket usb drive, and my new comp's HDD. Unfortunately, this IBM Aptiva has only 2 RAM slots that can only read 128MB of the stuff. But i'm wondering, since my version of 98 SE is OEM, how would i reinstall windows. (I'm also wondering about how I can do parts of windows upgrades and installs that require a 98 CD as it's OEM install)

 

Dave,

My first Aptiva, a 2176-C66, had the same memory limits that your's does. I ran mine with 80MB of RAM and never had any problems. I even upgraded it from 95 to 98. If you could find a 16MB stick, I would add that.

Do you still have the Product Recovery disk and the Diagnostics and Utilities CD for your system? Mine was a red disk and a blue disk. If so, you can use that to put the system back to where it was when you bought it. If you have those disks, here are the instructions from IBM on how to reload your system.

Since you do have stuff on your old drive that you want, definitely copy it over some how. Something that you can do that I have done before, put the old drive into the new system. I did this the last time I reloaded my 98 system. Worked like a charm and not hard at all. Just plug it in and copy the info over.

The anti-virus program you want is your choice. I have always used Norton's AV, even on my old Aptiva with only 80MB RAM. Allot of people here use the AVG program and are happy with it. I don't think that you should worry about the free version. As long as you're safe in what you download and stay away from unfamiliar links, you should be fine. The extra RAM may give you the boost you need to use McAfee without a big slowdown.

Mike

 

For Aptiva's, usually you'll have 2 cd's. One is for a comlete factory restore, the other is for adding or removing software and/or hardware components.

If in doubt try IBM support and see what information you can dig up for your computer....

http://www-307.ibm.com/pc/support/s...roductInformationLandingPage.vm&validate=true

You have not specified your particular model or I could have prescreened some links for you. The link may be a better option anyway, if you connect using your older Aptiva you can opt to allow IBM to autodetect your system and any information supplied there after will be specific to your make/model.

Barring that you should have all the information you need somewhere in readme texts for your sytem (Aptiva). Perhaps somewhere in the startmenu>program list, possibly on the cd's themselves, or maybe included in windows help via the startmenu. Explore...look for those pdfs, txts, or docs, chms, htmls or whatever readmes you can find.

 

Disk Read Error?

While I haven't messed up my computer in reguards to booting problems, I know that the day will come and one day i decided to make a Start-Up floppy. The prompt said I needed to format it first, so I clicked OK, and a prompt came up that said "Windows cannot format this disk. Check if the disk is write-protected." I can never get Windows to reconize the OEM drive in my IBM computer. The LED blinks and I opened the case to inspect the cables, but it. Does anybody know what happened to my floppy drive?

 

When you opened your case, did you reseat all your connections for the floppy drive? Is there any other noise coming from the drive or does the light just come on? Is it possible to pull it out and try it in your other system? Are there any question marks or exclamation points in your Device Manager for the floppy drive? There is always the chance that it just went bad.

Mike

 

I tried to reconnect the drive, only getting the scews and a small cable off. I couldn't get this ribbon cable detached. The floppy only lights up, no sound seems to come from it now. The floppy is simply listed as "Generic Floppy Drive" with no markings beside it. Windows just says it's working fine. (It also said that after I accidentally stepped on my 1st Zip drive )
So basiclly, I don't know what happened to it.

P.S: My IBM Computer Model is "Aptiva E Series 275 "

 

Dave,

I would have to lean towards the drive or the cable being bad. It might be hard to tell unless you can somehow get the cable off and test the drive in another system. Sorry I can't offer any other suggestions. Maybe somebody will look in and have a suggestion or two for you.

Mike

 

Rehi Dave932932,
Check out this link and follow the advice here until you post a hijackthis log and then await further advice. Think you're still infected and need more cleaning.

 

I can run hijackthis, but I msconfiged all the bad stuff at boot-up. Without msconfiging everything, I can't get HijackThis going

but i have seen two processes that i msconfiged, but there still there, somewhere on my HDD. (wtoolsa.exe and tibs.exe, I think a trojan is disguised as Internat.exe, the language support process.)

 

Hi Dave932932,

www.anti-trojan.net

As for the floppy drive, try downloading a 98 boot disk from www.bootdisk.com and try starting the old computer with that. That will tell you if the problem is in Windows or if the BIOS of the computer cannot run the floppy drive.
If the problem seems to be in Windows, go to Device Manager and highlight the "Floppy Drive Contoller" and click "remove ". It may start working after you reboot.
If the problem seems to be in the drive itself, you could try it in another computer or swap the cable as suggested. Still doesn't work...you have my permission to accidentally step on it .

Matt

 

Hi Dave932932,

To back up stuff on your old drive, after it's cleaned up from the pests on it now,you could use the new computer. You can connect the drive to the cable in the new machine after opening the box - that's if the present ribbon cable has an extra connector (or you can temporarily borrow the cable from the old computer) and a power supply connector. Many of us do it all the time; the disk is not permanently installed in the old computer, just lying on the open computer which is open and lying on its side with mobo down. But don't do this until you're sure the old disk is clean - danger of transmitting the beasts to the new machine.

 

I would get a can of air, and blow the dust out of the floppy drive. Your PS fan does nothing but **** air through the little door.

 

I did blow and dust the entire motherboard but it has no performance effect.
Also, I'm gonna post a Hijackthis log.

 

Check over This HijackThis Log

This is a log of a a boot-up on my 98 (when I get lucky). I think I've found most problems in it, but please check it over as I think I missed a few. Since regediting, manually deleting, and letting spybot hunt down pest, most off these regkeys/processes are "orphaned" (without host .exe's

Logfile of HijackThis v1.99.0
Scan saved at 9:06:57 PM, on 1/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
(Now i'm confused about what 98 OS I have)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BHODEMON\BHODEMON.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.prodigy.net;enroll.prodigy.net;enroll-isp.prodigy.net;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ConfigSafe] C:\CSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe (i think this is spyware)
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [WinTools] C: \PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE (i know this is bad but I can't get rid of it)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AEZBProc] c:\ibmtools\aptezbtn\aptezbp.exe
O4 - HKLM\..\Run: [PRELOAC] C:\WINDOWS\OPTIONS\CABS\PWS\PRELOAC.EXE
O4 - HKLM\..\Run: [INFUNISS] C:\WINDOWS\OPTIONS\CABS\INFUNISS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE (There it is again)
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe (what is this?)
O4 - HKCU\..\Run: [] http://dj18dj18.l4.bizcn.com
O4 - HKCU\..\Run: [START PAGE] http://asiafriendfinder.com/go/p27573
(I know the above process is the hijacker, but how do you get rid of it?)
O4 - Startup: BHODemon 2.0.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (I think this setting was turned on a hijacker)
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PowerWord - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL (file missing)
O9 - Extra button: Joyo - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - \\BLUEMACHINE\XP HARDDRIVE\PROGRAM FILES\AIM\AIM.EXE (file missing)
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www102.coolsavings.com/LTC/download/cscmv4X.cab
(I think this is adware)
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave.com/content/combat_medic/CMonline.dll
(not sure what this is)
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
(or what this is either)

 

Suggestions: these are what I'd do if this were my box.

Run hijackthis with all other windows closed and have the program remove the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.prodigy.net;enroll.prodi...sp.prodigy.net;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
Note: "InstantAccess.exe is a process which belongs to Xerox's Textbridge OCR software. This is a non-essential process. Disabling or enabling this is down to user preference "
Suggest you disable it unless OCR is in daily use.
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
Ditto the following:
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [WinTools] C: \PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
Unable to find info on these next two, but they're not windows files; on my machine I'd remove them.
O4 - HKLM\..\Run: [PRELOAC] C:\WINDOWS\OPTIONS\CABS\PWS\PRELOAC.EXE
O4 - HKLM\..\Run: [INFUNISS] C:\WINDOWS\OPTIONS\CABS\INFUNISS.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE (There it is again)
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe (what is this?)
O4 - HKCU\..\Run: [] http://dj18dj18.l4.bizcn.com
O4 - HKCU\..\Run: [START PAGE] http://asiafriendfinder.com/go/p27573
O4 - Startup: BHODemon 2.0.lnk.disabled
O9 - Extra button: PowerWord - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL (file missing)
O9 - Extra button: Joyo - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\PROGRA~1\KINGSOFT\XDICT\IEPLUGIN.DLL (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - \\BLUEMACHINE\XP HARDDRIVE\PROGRAM FILES\AIM\AIM.EXE (file missing)
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL (file missing)

Go to
Start
run
explorer
OK
On the menu bar, choose view
folder options
and make sure nothing is hidden, including system files.

Then in safe mode search in explorer for:
TOOLBAR
WINTOOLS
which are folders suggested for deletion, including their contents unless you know they\re safe.

Then please post your progress and any problems or questions.