WtoolsA- HJT log

Hello Everyone!
I know there is a lot of stuff on this machine, but my uncle gave it to me used. So I am trying to get it to work as well for me as the one I use at school. I found this site when I was searching for "WtoolsA ", because it was irritating me with it's pop-up message. I downloaded Spybot,Ad-ware, Hi-jacker this!, and Zone Alarm, because I kept getting the WtoolsA warning every 1-2 minutes. When I first used Spybot it found 548 things and I fixed and/or deleted them. Then I ran Ad-ware and the pop-ups still came up. So it was back to the website for more reading, and found a couple more steps to do. I was stuck on Hi-jack This, because it wouldn't let me open the log. I kept getting an error message (something about Accessibility Wizard). So this afternoon I decided to go looking further into the configs of Hi-jack this and found something that wasn't checked about sending log to notepad. I checked the box and was able to copy my log and so here I am again to see if I can fix this @#*&~! puter.
Thanks everyone for helping fix it.


StartupList report, 5/25/04, 7:10:29 PM
StartupList version: 1.52
Started from : C:\MY DOCUMENTS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.1998A)
Detected: Internet Explorer v5.50 SP1 (5.50.4522.1800)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\1DEAF\COOLMAGS.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WMCONNECT\WMTRAY.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
AtiCwd32 = Aticwd32.exe
AtiKey = Atitask.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
Tray Temperature = C:\WINDOWS\IWEATHERBUG\MINIBUG.EXE 1
OEMCleanup = C:\WINDOWS\OPTIONS\OEMRESET.EXE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
fash = C:\WINDOWS\fash.exe
Vet Alert = C:\WINDOWS\System\VetMsg9x.exe
VetTray = C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
VsecomrEXE = C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
Setup Dart = C:\PROGRA~1\1deaf\CoolMags.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
Zone Labs Client = C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

TweakIco = c:\hp\support\tweakico.exe
EncMonitor = C:\Program Files\Encompass\Monitor.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
WinTools = C:\Program Files\Common files\WinTools\WToolsA.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 25/5/2004, 19:4:18)

[rename]
NUL=TARGET~1.EXEC:\WINDOWS\TEMP\MONITO~1.DAT=C:\WINDOWS\TEMP\MONITO~1.DAT

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 25/5/2004, 1:22:4)

[rename]
NUL=C:\WINDOWS\SYSTEM\DONDI.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCANPM.EXE C:\
IF ERRORLEVEL 1 PAUSE
path C:\WINDOWS;C:\WINDOWS\COMMAND

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Web Publishing Wizard.job
Tune-up Application Start.job
{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_kim.job
Spybot - Search & Destroy - Scheduled Task.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ForumChat]
InProcServer32 = C:\WINDOWS\SYSTEM\MSJAVA.DLL
CODEBASE = http://objects.compuserve.com/chat/RTCChat.cab

[{D52D92F2-3650-439C-AA18-03EE4F6859DE}]
CODEBASE = http://www.3pic.com/3155.exe

[{B5638081-D53F-481E-85A9-E5DFD5BC8F5D}]
CODEBASE = http://www.cursorzone.com/cursors/flowgo_freddy_setup_td035.cab

[NMInstall Control]
InProcServer32 = C:\WINDOWS\SYSTEM\NMINST~1.DLL
CODEBASE = http://a14.g.akamai.net/f/14/7141/1...tmeter4_5/nminstall_en_4.52.30.0_SILENT_2.cab

[OTXMovie Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\OTXMEDIA.DLL
CODEBASE = http://www.otxresearch.com/OTXMedia/OTXMedia.dll

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 10\DOWNLOAD.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.5964583333

[DoomCln Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DOOMCLN.DLL
CODEBASE = http://www.microsoft.com/security/controls/DoomCln.CAB

[{11111111-1111-1111-1111-111111113456}]
CODEBASE = file://c:\info6_s.cab

[{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
CODEBASE = http://imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaInitialSetup1.0.0.8.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://software-dl.real.com/194084017a544c301002/netzip/RdxIE601.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #7: C:\WINDOWS\SYSTEM\INETADPT.DLL

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,670 bytes
Report generated in 0.627 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

Hi soggy_froggy

Thats a startup list we need the hijackthis log

How to post a Hijackthis log:
http://www.windowsbbs.com/showpost.php?p=159220&postcount=4

I have never heard of hijackthis problems w/Accessibility Wizard perhaps turn it off, before using hjt.

 

Here is the HJT log that I didn't put in the first time!!

 

Hi
Thas the same isp I use (duc)

It will would be best to restart the PC in safe mode to do this
http://support.microsoft.com/default.aspx?scid=kb;EN-US;180902
It may help to print this out..
set windows to show all hidden files and folders.

Right click on TeaTimer in your tray and choose "exit" for now.

Uninstall Weatherbug in addremove programs
More Information
Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders) that show in the taskbar. Then Hit fix selected
[items in blue are recommended or optional]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\IWEATHERBUG\MINIBUG.EXE 1
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [Setup Dart] C:\PROGRA~1\1deaf\CoolMags.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O9 - Extra button: Enjoy It (HKLM)
O9 - Extra 'Tools' menuitem: Enjoy It (HKLM)

O16 - DPF: {B5638081-D53F-481E-85A9-E5DFD5BC8F5D} - http://www.cursorzone.com/cursors/f...setup_td035.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.8.cab[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1940840...ip/RdxIE601.cab
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab


Im not sure about these two but they dont look right irregardless they are safe to fix
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1....0_SILENT_2.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll

also the next time you run hijackthis you may ave a new item, if a
O2 - BHO or A O3 - Toolbar~~~~ wintools shows fix it.
================
while still in safe mode, go start run type
temp and hit enter
then edit select all then right click and choose delete
Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content

You might have a temp folder in C:\temp if so delete the contents of it to.

then delete these files and folders
c:\info6_s.cab
C:\Program Files\Common files\WinTools
C:\WINDOWS\fash.exe
C:\WINDOWS\IWEATHERBUG
C:\PROGRAM FILES\1deaf

restart to a normal windows session come back then make a new log and post it

 

also post the result's of this please

copy and past this into IE's addressbar
javascript:navigator.userAgent
Hit enter or go
and copy paste that back here for us please

 

Updated HJT log

HERE IS THE HJT LOG AFTER I FOLLOWED LONNY'S INSTRUCTIONS~

Logfile of HijackThis v1.97.7
Scan saved at 3:43:28 AM, on 5/29/04
Platform: Windows 98 SE (Win9x 4.10.1998A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wmconnect.com
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wmconnect.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D52D92F2-3650-439C-AA18-03EE4F6859DE} - http://www.3pic.com/3155.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.5964583333
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

ALSO IF SOMEONE COULD HELP ME WITH THE INSTRUCTIONS BELOW THAT WOULD BE WONDERFUL! I'M NOT SURE WHERE TO PASTE THIS INFO AT. COULD I GET MORE SPECIFIC INSTRUCTIONS? Thanks, Kimberley

<quote>Lonny Jones<Quote>
also post the result's of this please

copy and paste this into IE's addressbar
javascript:navigator.userAgent
Hit enter or go
and copy paste that back here for us please

 

Hello dont worry about the user agent for now
Look2Me Fix
http://www.downloads.subratam.org/VX2Finder9x.exe
download that tool to your desktop for instance then ONLY do this for now
To use it:
Run it by double clicking VX2Finder9x.exe
click find VX2abetterinternet
then up near the top right click make log copy paste that back here please
exit notepad and VX2Finder9x also

also while on the Internet with all the prgram's you normally have running running make and post another HijackThis log please

 

HJT log with programs running

Logfile of HijackThis v1.97.7
Scan saved at 1:00:31 PM, on 5/29/04
Platform: Windows 98 SE (Win9x 4.10.1998A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WMCONNECT\WMTRAY.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wmconnect.com
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wmconnect.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D52D92F2-3650-439C-AA18-03EE4F6859DE} - http://www.3pic.com/3155.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.5964583333
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

 

First, download WinsockFix. DO NOT USE IT UNLESS YOU CANNOT GAIN INTERNET ACCESS WHEN DONE WITH THE FOLLOWING INSTRUCTIONS. Shut down Tea Timer, making sure with task manager that it is not running. Scan with HJT again and fix the following. Make sure you close all other windows first.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O16 - DPF: {D52D92F2-3650-439C-AA18-03EE4F6859DE} - http://www.3pic.com/3155.exe


Reboot. Start IE. If it continually comes up blank and will go nowhere, close IE and run the winsock fix. Post another log when done.

 

Im still unsure about winsockfix on 9x systems lspfix is a sure thing
Download and read about lspfix link below, dont use it yet


Disconnect from the internet close all program that show in the taskbar
double click VX2Finder9x again click find "VX2sbetterinternet "
In the lower panel select all those files then hit "delete these files "
Then click "restore Desktop" dont be alarmed the desktop will disapear and reapear.
then click "import" reg then click "User agent" which willcorrect it then exit



Go here and download the LSP tool
http://www.cexx.org/lspfix.htm
read the documentation, close the internet connection and close any programs that show in the taskbar,, start the tool, check the box that says you know what you are doing, fix all instances (and only those) of "inetadpt.dll" (ie, move it/them to the remove window, click finish)

Now restart your computer, and delete that c:\windows\system\inetadpt.dll file
Then come back then make and post a new hihackthis log

Regards

 

What all do I delete??

Can someone tell me if lonny meant to delete everything, but INETADPT.DLLL? There is not much in the LSP, but rnrzo.dll -DNS Name Space Provider, mswsosp.dll - (protocol handler), msafd.dll - (protocol handler), rsvpsp.dll - (protocol handler), INETADPT.DLL - (protocol handler)

Thanks to anyone who can help me!
Confused_soggy_froggy

 

Fix ONLY inetadpt.dll!! ALL instances of it.

 

Here is the latest HJT log, after LSP

Hello,
I just wanted to say, Thank you so much for all your help with all my puter problems. Here is the latest HJT log after deleting "inetadpt.dll "

Thanks again, Kimberley (soggy_froggy)


Logfile of HijackThis v1.97.7
Scan saved at 9:48:58 PM, on 5/29/04
Platform: Windows 98 SE (Win9x 4.10.1998A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WMCONNECT\WMTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\SYSTEM\lexpps.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Wal-Mart Connect Tray Icon.lnk = C:\wmconnect\wmtray.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wmconnect.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.5964583333
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

 

Nothing jumps out at me, looks good

If you would please, Post one more Log from VX2Finder9x ?

Also there is no real need to have RealPlay,winzip and Possible monitor.exe
start with windows
With the first two there should be an option within the program to have them not start with windows, the third Im unsure of, probaly disable it with msconfig. More informationtion

Let us know if there area any problems you havent mentioned