Looking for the knight to kill the specific911 dragon again!!!

[stretched]

I found your battle with this beast very useful, and have studied all which was written in a long post about it (thats why I'm here).

I did everything I could do that I saw you advise (within reason) comparing my circumstances to the others, I also found other forums dealing with the problem and went over some of the steps there. I did clean with

Spybot, spywareblaster, spysweeper, ad-aware (newest), Ccleaner, have run Regseek, searched first for "specific911" hit about four, including some of the file names which I learned I had to search for, but could not find any other way, deleted them, (..vb something etc), changed some of the startpage, search page etc, addresses through spywareblaster, but could not determine which to leave and which to delete, so just changed them all to msn.

Also ran the on-line scans which you can see at the end of the log, still having the IE explorer window open with the click on anything....

Here is my highjack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:23 م, on 27/08/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: palstart.exe
O4 - Startup: GetRight Monitor.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {3D061514-8D58-40D8-BB88-2BA6DCA9E5DE} - http://www.qurancomplex.org/Download...dQuranFont.cab
O16 - DPF: {B0067CA5-2C37-4C6B-AAEC-5E2CE8635060} - http://www.qurancomplex.org/Download...Smooth_New.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab


please help me

thanks

stretched

[tetonbob]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->View->Folder Options->View tab and make sure that 'Show all files' is checked under the 'Hidden Files' section. Also make sure there is no checkmark beside 'Hide file extensions for known file types'.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - Startup: palstart.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

winmain.exe<<<find via Start>Search
palstart.exe<<<find via Start>Search

Restart into normal mode now.

I see you've run a scan with Panda ActiveScan, but I'd like to see a log, so please do this:

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Next, run a new HijackThis scan. Save the log file and post it here.

[stretched]

just finished running panda before checking, did not turn of monitors though, here is what it found:

Incident Status Location

Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Adware:adware/adshooter No disinfected Windows Registry
Virus:Trj/Downloader.TH Disinfected C:\WINDOWS\SYSTEM\CAX.0LL
Adware:Adware/StartPage.I No disinfected C:\WINDOWS\update12.0s
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\tinybar.0xe
Virus:Trj/Runet.A Disinfected C:\WINDOWS\mssys.0om
Adware:Adware/WinAD No disinfected C:\WINDOWS\WindUp.exe
I see some "new" junk...

I will follow your directions and come back and try to do the panda again and see about turning off the monitors

[stretched]

did as instructed, removed those files you mentioned though highjack, were not there via find afterwards, rebooted here is the panda log:


Incident Status Location

Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Adware:adware/adshooter No disinfected Windows Registry
Adware:Adware/StartPage.I No disinfected C:\WINDOWS\update12.0s
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\tinybar.0xe
Adware:Adware/WinAD No disinfected C:\WINDOWS\WindUp.exe

I think that is everything you said....

[tetonbob]

Please post a fresh HJT log also....

[stretched]

ok (thanks alot) here it is:

Logfile of HijackThis v1.99.1
Scan saved at 0602 م, on 27/08/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: GetRight Monitor.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {3D061514-8D58-40D8-BB88-2BA6DCA9E5DE} - http://www.qurancomplex.org/Download...dQuranFont.cab
O16 - DPF: {B0067CA5-2C37-4C6B-AAEC-5E2CE8635060} - http://www.qurancomplex.org/Download...Smooth_New.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab

[tetonbob]

Please run a search for internat.exe using Start>Find

Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

Copy these instructions to Notepad

Download Killbox from one of these locations:

http://www.greyknight17.com/spy/KillBox.exe
http://www.downloads.subratam.org/KillBox.zip
http://www.atribune.org/downloads/KillBox.exe

Reboot into safe mode.

Uninstall MyWay from Add/Remove Programs if there using these instructions (if not present there, just delete the folder at the indicated point in the instructions):

* Click Start- Settings - Control Panel- Add or Remove Programs
* Double-click the Add or Remove Programs icon
* Click Remove a program
* Click MyWay
* Click the Change/Remove button
* The InstallShield Wizard dialog box, select the Remove check box
* Click Next
* If you get a window for "Remove Share Component", click "Yes to All"
* If you get a window for "Remove Share File", click "Yes to All"
* Click Yes
* When finished, close all boxes
* Do NOT restart the computer when asked

* Click Start- Find or Search- Files or Folders
* "Look In" should say Local Hard Drives
* Type MyWay [press Enter]
* Delete any/all found, close all boxes when finished

* Click Start- Run
* Type or copy/paste
MsiExec.exe /X{78d944d7-a97b-4004-ab0a-b5ad06839940}
* Click OK
* Follow the prompts to remove MyWay

* Click Start- Run
* Type regedit [press Enter]
* Highlight My Computer
* Click..FILE….EXPORT…and save a copy somewhere in case you make a mistake.
* Click Edit- Find
* Type MyWay [press Enter]
* Delete any/all found, press F3 to continue searching. Delete any/all found
* Close all boxes when finished
* Click Start- Turn Off Computer- Restart into safe mode again.

Delete this folder:

C:\PROGRAM FILES\MyWay

Next:

• C:\WINDOWS\update12.0s
  C:\WINDOWS\tinybar.0xe
  C:\WINDOWS\WindUp.exe

Select/Highlight all the filename(s) from the above.
Copy to clipboard by pressing [CTRL]+[C] on your keyboard.
Start KillBox.exe

1. Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox
   Click the dropdown-arrow next to the "Full Path of File to Delete" field.
   Verify that the filenames you pasted are found in there.
2. Select/tick the following:
   • Delete on Reboot
   • End Explorer Shell While Killing File
   • Unregister.dll Before Deleting * if it's not grayed out
3. Click the RED X button.
4. Click Yes at the 'Delete on Reboot' prompt.
5. Click Yes at the 'Pending Operations prompt'.

* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to manually restart Windows.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

Reboot into normal mode, and run another Panda ActrveScan. Post the log here.

What is the condition of your system now, please?

[stretched]

HERE IS SO FAR, Going to panda now...

internat.exe

info:

(Keyboard Language Indicator Applet, Copyright (C) Microsoft Corp. 1998 Company name Microsoft Corporation, I am running 98 Arabic Enabled, maybe something for that)


Downloaded Killbox

Rebooted into safe mode.

Uninstall MyWay - no file with that name, nor folder, maybe i deleted it before.

* Click Start- Settings - Control Panel- Add or Remove Programs
* Double-click the Add or Remove Programs icon (can not do that with this specific911 only opens IE, operations via task schedular only or start/find but that only finds, cant do anything else with find, just opens a IE window)

Click Start- Find or Search- Files or Folders - can do that, did not find MyWay

Could not do "run" command on (same reason as above) MsiExec.exe /X{78d944d7-a97b-4004-ab0a-b5ad06839940}

Found msiexec.exe program, using “find” which does work, says microsoft is that it? - I DID NOT DELETE SINCE I WAS UNSURE it looked suspicious but was not sure...

In REGEDIT

Click..FILE….EXPORT…and save a copy somewhere in case you make a mistake. (DID THAT)

* Click Edit- Find
* Type MyWay [press Enter]
* Delete any/all found, press F3 to continue searching. Delete any/all found (found a set and deleted all but would not delete the one that said (value not set))


Delete this folder:

C:\PROGRAM FILES\MyWay (did not find that)

Next:
C:\WINDOWS\update12.0s
C:\WINDOWS\tinybar.0xe
C:\WINDOWS\WindUp.exe
(did not find any)

did the killbox orders, rebooted and all, looks like everythings the same, do I have to remove that

msiexec.exe program

for sure? maybe that is all thats left...

off to panda

[stretched]

alright here is panda and a HJT from right before:


Incident Status Location

Dialer:dialer.akd No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\SGRUNT.BIZ
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP\DOMAINS\ARCHIVIOSEX.NET
Adware:adware/adshooter No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.0\Tools\Process Viewer\ProcessViewer.exe
dont know where those dialers came from, and dont want them....

Logfile of HijackThis v1.99.1
Scan saved at 10:38:41 م, on 27/08/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.0\THGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: GetRight Monitor.lnk = C:\Program Files\GetRight\getright.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {3D061514-8D58-40D8-BB88-2BA6DCA9E5DE} - http://www.qurancomplex.org/Download...dQuranFont.cab
O16 - DPF: {B0067CA5-2C37-4C6B-AAEC-5E2CE8635060} - http://www.qurancomplex.org/Download...Smooth_New.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab

alright, been at this for over 24hrs now, and still going....

[POADB]

We're almost there...

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.

[stretched]

I can not double click on anything on my desktop except for mycomp, any program only opens IE, I will download and attempt to activate the program via Schedualed tasks (like everything else). If the opening of that download relies on any other programs, it will just open IE window and not complete the process, this has happened with one or two anti-virus programs I downloaded, just could not open them from desk-top, I will assign it to program files directory instead of desk-top to hopefully be able to open it......

[stretched]

it did not work either way, both times it gave an error box:

Microsoft(ODBC) Driver data source...not found and default driver (something like not present)

could not I think it was trying to access the net upon opening, I go the accept or not box and click accept, but then the error box comes up....

[stretched]

here is the panda log:


Incident Status Location

Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT
Adware:adware/adshooter No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.0\Tools\Process Viewer\ProcessViewer.exe

[tetonbob]

Grrrrrrrr...........let's dig....

Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the 'Generate StartupList log' button. Post that log in your next post.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Right click on this link and choose Save As. Leave the filename alone and save it on your desktop. Now run that program (right click and choose Open if you cannot double click) and do a search for -> specific911

Is there more than one user account on this system?

[stretched]

alright the request via HJT can not be done, it brings up a box... through notepad OK press ok, tries to open notepad, which does not work only opens IE window, can not do anything with any program that opens another program, that will only result it what the main problem is, opening IE window, going to work on the other things in the last post, and as for users, i fear that this is possible, because once my kids did something changing my logon pass word, so I had to try to redo it, so I think the answer is yes, but I only know the one called "John" at this time, the other logon name and password i do not know anymore....working on other tasks

[tetonbob]

After you run as many of the previous instructions as possible, do this:

Go to Start>Settings>Control Panel>Users

Is there more than one user listed? If so, I need you to log on to each one, run HJT, save a log and post it here, please.


Regarding an earlier comment of your about the dialers found by Panda.....those are known false positives....not to worry about. Your Panda logs are essentially clean......only registry remnants remain.

[stretched]

1. Start, control panel, users, users opens IE window
2. Silent runners, demanded download wmi9x.exe from microsoft website, did that, then I had to install it, then run it from task sched. because silent runners kept saying it cant operate with out it each time i started it, so I tried to run wmi9x.exe first then silent runners next, but just would not work.
3. Regsrch already have it, just gives a script error x box when searching.
4. Start Dreck yes:

StartDreck (build 2.1.7 public stable) - 2005-08-28 @ 15:59:17 (GMT -05:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2600.0000
Logged in as john at ABUKHALI

»Registry
»Run Keys
»Current User
»Run
*Spyware Doctor="C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
»RunOnce
»Default User
»Run
*Spyware Doctor="C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
»RunOnce
»Local Machine
»Run
*internat.exe=internat.exe
*SystemTray=SysTray.ExE
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*ATIGART=c:\ati\gart\atigart.exe
*AtiPTA=Atiptaxx.exe
*ADUserMon=C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
*Iomega Drive Icons=C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
*Deskup=C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
*SMSERIAL=sm56hlpr.exe
*zSPGuard=c:\program files\pjw\spguard\spguard.exe /s /r
*SMC=C:\SMC\SMC.exe
*LoadQM=loadqm.exe
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
*avast! Web Scanner=C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
*SchedulingAgent=mstinit.exe /firstlogon
*THGuard=C:\Program Files\TrojanHunter 4.0\THGuard.exe
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*ADService=C:\Program Files\Iomega\AutoDisk\ADService.exe
*winmodem=WINMODEM.101\wmexe.exe
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
*avast!=C:\Program Files\Alwil Software\Avast4\ashServ.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Setup - Applets/AppletsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Fonts/FontsPerUser
*StubPath=C:\WINDOWS\SYSTEM\rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection nls.hkcu.reg 0 C:\WINDOWS\INF\fonts.inf
+PerUser_ICW_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
+Internet Explorer 6 and Internet Tools/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
+Windows Setup - System Information/PerUser_Msinfo
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - System Information/PerUser_Msinfo2
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - Multimedia/MotownMmsysPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownAvivideoPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Messaging/PerUser_Base
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
+Windows Setup - Shell/ShellPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
+Windows Setup - Shell2/Shell2PerUser
*StubPath=C:\WINDOWS\SYSTEM\rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection schemes.reg 0 C:\WINDOWS\INF\shell2.inf
+Windows Setup - Start Menu/PerUser_winbase_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Start Menu/PerUser_winapps_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Links Bar/PerUser_LinkBar_URLs
*StubPath=C:\WINDOWS\COMMAND\sulfnbk.exe /L
+Windows Setup - Telephony Support/TapiPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
+Windows Setup - More Applets/PerUserOldLinks
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Sound Schemes/MmoptRegisterPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Online Services/OlsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Paint/PerUser_Paint_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Calculator/PerUser_Calc_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - FAT32 Converter/PerUser_CVT_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf
+Windows Setup - Multimedia/MotownRecPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Volume Control/PerUser_Vol
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownMPlayPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Wordpad/PerUser_MSWordPad_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
+Windows Setup - Dial-Up Networking/PerUser_RNA_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
+Windows Setup - Phone Dialer/PerUser_Dialer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
+Outlook Express/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msimn.inf,User.Install
+Microsoft FrontPage Express/{E4066320-E4AE-11CF-B1B0-00AA00BBAD66}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fpxprs16.inf,PerUserStub
+Windows Setup - CD Player/PerUser_CDPlayer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
+Microsoft NetMeeting 2.1/{44BBA842-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
+Windows Setup - America Online/OlsAolPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - AT&T WorldNet Service/OlsAttPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - CompuServe/OlsCompuservePerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Prodigy Internet/OlsProdigyPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - The Microsoft Network/OlsMsnPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
+Middle-East Channel Setup/chlen-me
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\chlen-me.inf,InstallUser
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+Browser Customizations/>{4459869E-613A-4C1C-8B5C-1878495FA551}
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub
+{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
»Internet Explorer
»Current User
*Default_Search_URL=www.msn.com
*Local Page=C:\WINDOWS\system\blank.htm
*Search Bar=www.msn.com
*Search Page=www.msn.com
*Start Page=http://www.msn.com
*Window Title=Microsoft Internet Explorer provided by America Online
*CustomizeSearch=http://www.msn.com
*SearchAssistant=www.msn.com
+SearchUrl
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
*provider=
»Default User
*Default_Search_URL=www.msn.com
*Local Page=C:\WINDOWS\system\blank.htm
*Search Bar=www.msn.com
*Search Page=www.msn.com
*Start Page=http://www.msn.com
*Window Title=Microsoft Internet Explorer provided by America Online
*CustomizeSearch=http://www.msn.com
*SearchAssistant=www.msn.com
+SearchUrl
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
*provider=
»Local Machine
*Default_Page_URL=http://www.msn.com
*Default_Search_URL=http://www.msn.com
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=http://www.msn.com
*Search Page=http://www.msn.com
*Start Page=http://www.msn.com
*Window Title=Microsoft Internet Explorer provided by America Online
*CustomizeSearch=http://www.msn.com
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=
»Special NT Values
»Current User
*Load=
*Run=
*Programs=
*SHELL=
»Default User
*Load=
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\GetRight Monitor.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\GetRight Monitor.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`DoubleBuffer=1
`AutoScan=1
`WinVer=4.10.1998
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\config.sys
`DEVICE=C:\WINDOWS\HIMEM.SYS
`DEVICE=C:\WINDOWS\EMM386.EXE
`device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
`Country=966,720,C:\WINDOWS\COMMAND\country.sys
*C:\autoexec.bat
`SET BLASTER=A220 I7 D1 H7 P330 T6
`SET SBPCI=C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV
`mode con codepage prepare=((720) C:\WINDOWS\COMMAND\ega4.cpi)
`mode con codepage select=720
`Set tvdumpflags=10
`Set tvdumpflags=10
`Set tvdumpflags=10
`Set tvdumpflags=10
`SET PATH=C:\WINDOWS\SYSTEM\WBEM;%PATH%
*C:\WINDOWS\wininit.bak
`[Rename]
`NUL=
`NUL=
`NUL=
*C:\WINDOWS\dosstart.bat
`C:\PROGRA~1\CREATIVE\AUDIO\DOSDRV\SBINIT
»Program Files
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\COMMAND.COM
*C:\WINDOWS\COMMAND.PIF
*C:\WINDOWS\COMMAND.COM
+C:\WINDOWS\SYSTEM\hh.exe
*C:\WINDOWS\hh.exe
»System/Drivers
»Running Processes
+FF0FA65D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FF0051A1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FF006731=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FF00DC81=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FF00E1C1=C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
+FF00FC3D=C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
+FF00AD0D=C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
+FF01CF39=C:\WINDOWS\SYSTEM\mmtask.tsk
+FF020249=C:\WINDOWS\EXPLORER.EXE
+FF03AEC1=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FF059ED1=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FF063105=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FF034775=C:\PROGRAM FILES\STARTDRECK.EXE
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*vshare.vxd=
*vwin32.vxd=
*vfbackup.vxd=
*vcomm.vxd=
*combuff.vxd=
*vcd.vxd=
*vpd.vxd=
*spooler.vxd=
*udf.vxd=
*vfat.vxd=
*vcache.vxd=
*vcond.vxd=
*vcdfsd.vxd=
*int13.vxd=
*vxdldr.vxd=
*vdef.vxd=
*dynapage.vxd=
*configmg.vxd=
*ntkern.vxd=
*ebios.vxd=
*vmd.vxd=
*dosnet.vxd=
*vpicd.vxd=
*vtd.vxd=
*reboot.vxd=
*vdmad.vxd=
*vsd.vxd=
*v86mmgr.vxd=
*pageswap.vxd=
*dosmgr.vxd=
*vmpoll.vxd=
*shell.vxd=
*parity.vxd=
*biosxlat.vxd=
*vmcpd.vxd=
*vtdapi.vxd=
*perf.vxd=
*vkd.vxd=
*vmouse.vxd=
*mtrr.vxd=
*enable.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\IOS.VXD
*C:\WINDOWS\SYSTEM\VMM32\QEMMFIX.VXD
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
*C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\PPA3.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\Clikcard.mpd
*C:\WINDOWS\SYSTEM\IoSubSys\USB_IOS.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\IOMEGA.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\AFL.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DDTHINGS.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\cdr4vsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\cdralvsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\acbhlpr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\ENSQIO.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User


Please do not forget, I can manage to find a way to open a give program ,and even unzip it first, then open it, but if it wants to use some other program, bamb IE opens, and it just does not work.

[tetonbob]

I'm running out of ideas..... I'm going to call in the cavalry on this.....hang tight.

[stretched]

alright, im here, I work at home and use my computer....but this hurricane is coming, I think there should be not electric trouble until late at night here, about 8 hours (Alabama, Mobile central US time)

so aside from myself and my family not dying tonight, fixing this computer is still my main concern in life...so I am monitoring the forum just as I am monitoring the weather channel....

[greyknight17]

Does the IE problem occur if you are in Safe Mode also?

Try this. Go to Start->Run and type in sfc and hit OK. Run the full scan and see if it finds anything.