Archived from groups: microsoft.public.windowsme.general (More info?)

Help please:

AdAware has started picking up these "Jump to Key" items. I delete them, and
they come back. What are they? How can they be prevented?

OM

------------

Dialer Object Recognized!
Type : RegValue
Data : Wildflics
Category : Dialer
Comment : ""
Rootkey : HKEY_USERS
Object :
..DEFAULT\software\microsoft\windows\currentversion\run
Value :

Dialer Object Recognized!
Type : RegValue
Data : Wildflics
Category : Dialer
Comment : ""
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run

Archived from groups: microsoft.public.windowsme.general (More info?)

I'm not sure what you mean by "Jump to Key". The two entries you report
are telling you that there are entries in the registry that are being used
to launch an almost certainly unwanted porn dialler each time you boot
your PC. The keys being
HKEY_USERS\software\microsoft\windows\currentversion\run and
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run.

To remove these entries you need to find the file that is creating these
keys each time you boot your PC. You might find it helpful to download
and use HijackThis from
http://www.spywareinfo.com/~merijn/downloads.html). Create a folder called
HJT on C: (not on your desktop nor in your temp folder) and copy the file
you downloaded to that folder. Close as many applications as you can
including all instances of Internet Explorer. Enable Windows Explorer to
see all files and folders (Tools | Folder Options | View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files" ), clear your Temp folder and Temporary Internet Files and then run
hijackthis.exe and post back the log to the HijackThis Forum at
http://forum.aumha.org/viewforum.php?f=30 and hopefully this will enable
someone to identify the cause of your problem.

> How can they be prevented?

That's the $64,000 question but a good place to start is by ensuring that
your PC is fully patched, by using a good antivirus application which is
kept updated, perhaps even daily, by using tools such as AdAware, SpyBot
Search & Destroy, Spyware Blaster and more, using a firewall and most
important of all by practising Safe Hex. Don't click on or download files
unless you know you want them and the consequences of doing so.

See also: Dealing with Unwanted Malware, Parasites, Toolbars and Search
Engines http://mvps.org/winhelp2002/unwanted.htm and also Browser
Hijacking http://www.spywareinfo.com/articles/hijacked/
--
Mike Maltby
mike.maltby@gmail.com


OM <Nomail@msn.com> wrote:

> Help please:
>
> AdAware has started picking up these "Jump to Key" items. I delete
> them, and they come back. What are they? How can they be prevented?
>
> OM
>
> ------------
>
> Dialer Object Recognized!
> Type : RegValue
> Data : Wildflics
> Category : Dialer
> Comment : ""
> Rootkey : HKEY_USERS
> Object :
> .DEFAULT\software\microsoft\windows\currentversion\run
> Value :
>
> Dialer Object Recognized!
> Type : RegValue
> Data : Wildflics
> Category : Dialer
> Comment : ""
> Rootkey : HKEY_LOCAL_MACHINE
> Object : software\microsoft\windows\currentversion\run

Archived from groups: microsoft.public.windowsme.general (More info?)

> Don't click on or download files unless you know you want them and the
> consequences of doing so.

That's concise, Mike! That should perhaps be tattooed on people's foreheads
when they buy their first computer!


Shane



--
¼á
"Mike M" <No_Spam@Corned_Beef.Only> wrote in message
news:upBHTyzhFHA.4028@TK2MSFTNGP10.phx.gbl...
> I'm not sure what you mean by "Jump to Key". The two entries you report
> are telling you that there are entries in the registry that are being used
> to launch an almost certainly unwanted porn dialler each time you boot
> your PC. The keys being
> HKEY_USERS\software\microsoft\windows\currentversion\run and
> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run.
>
> To remove these entries you need to find the file that is creating these
> keys each time you boot your PC. You might find it helpful to download
> and use HijackThis from
> http://www.spywareinfo.com/~merijn/downloads.html). Create a folder called
> HJT on C: (not on your desktop nor in your temp folder) and copy the file
> you downloaded to that folder. Close as many applications as you can
> including all instances of Internet Explorer. Enable Windows Explorer to
> see all files and folders (Tools | Folder Options | View and check "Show
> hidden files and folders" and uncheck "Hide protected operating system
> files" ), clear your Temp folder and Temporary Internet Files and then run
> hijackthis.exe and post back the log to the HijackThis Forum at
> http://forum.aumha.org/viewforum.php?f=30 and hopefully this will enable
> someone to identify the cause of your problem.
>
>> How can they be prevented?
>
> That's the $64,000 question but a good place to start is by ensuring that
> your PC is fully patched, by using a good antivirus application which is
> kept updated, perhaps even daily, by using tools such as AdAware, SpyBot
> Search & Destroy, Spyware Blaster and more, using a firewall and most
> important of all by practising Safe Hex. Don't click on or download files
> unless you know you want them and the consequences of doing so.
>
> See also: Dealing with Unwanted Malware, Parasites, Toolbars and Search
> Engines http://mvps.org/winhelp2002/unwanted.htm and also Browser
> Hijacking http://www.spywareinfo.com/articles/hijacked/
> --
> Mike Maltby
> mike.maltby@gmail.com
>
>
> OM <Nomail@msn.com> wrote:
>
>> Help please:
>>
>> AdAware has started picking up these "Jump to Key" items. I delete
>> them, and they come back. What are they? How can they be prevented?
>>
>> OM
>>
>> ------------
>>
>> Dialer Object Recognized!
>> Type : RegValue
>> Data : Wildflics
>> Category : Dialer
>> Comment : ""
>> Rootkey : HKEY_USERS
>> Object :
>> .DEFAULT\software\microsoft\windows\currentversion\run
>> Value :
>>
>> Dialer Object Recognized!
>> Type : RegValue
>> Data : Wildflics
>> Category : Dialer
>> Comment : ""
>> Rootkey : HKEY_LOCAL_MACHINE
>> Object : software\microsoft\windows\currentversion\run
>

Archived from groups: microsoft.public.windowsme.general (More info?)

"Mike M" <No_Spam@Corned_Beef.Only> wrote in message
news:upBHTyzhFHA.4028@TK2MSFTNGP10.phx.gbl...
> I'm not sure what you mean by "Jump to Key". The two entries you report
> are telling you that there are entries in the registry that are being used
> to launch an almost certainly unwanted porn dialler each time you boot
> your PC. The keys being
> HKEY_USERS\software\microsoft\windows\currentversion\run and
> HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run.
>
> To remove these entries you need to find the file that is creating these
> keys each time you boot your PC. You might find it helpful to download
> and use HijackThis from
> http://www.spywareinfo.com/~merijn/downloads.html). Create a folder called
> HJT on C: (not on your desktop nor in your temp folder) and copy the file
> you downloaded to that folder. Close as many applications as you can
> including all instances of Internet Explorer. Enable Windows Explorer to
> see all files and folders (Tools | Folder Options | View and check "Show
> hidden files and folders" and uncheck "Hide protected operating system
> files" ), clear your Temp folder and Temporary Internet Files and then run
> hijackthis.exe and post back the log to the HijackThis Forum at
> http://forum.aumha.org/viewforum.php?f=30 and hopefully this will enable
> someone to identify the cause of your problem.

Thanks Mike. Have done as you suggested and waiting for answers or
suggestions from the BLOG.
Would you have any any suggestions from my HijackThis log?? Would the
startup information give any help?

OM
------------
Logfile of HijackThis v1.99.1
Scan saved at 11:07:36 AM, on 7/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\APC\APC POWERCHUTE PERSONAL EDITION\MAINSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\ATRACK.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\APC\APC POWERCHUTE PERSONAL EDITION\APCSYSTRAY.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\HJT\HIJACKTH.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.mchsi.com/hendersonville
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: STOPzilla Browser Helper Object -
{E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe"
/autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec
Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task]
"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [TkBellExe]
:\WINDOWS\TEMP\~rnsetup\RNADMIN\realsched.exe -osboot
O4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE
PLUS\AD-AWARE.EXE" +c
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM
FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [APC_SERVICE] C:\Program Files\APC\APC PowerChute
Personal Edition\mainserv.exe
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program
Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe
/startup
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton
Utilities\SYSDOC32.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute
Personal Edition\Display.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program
Files\NetShow Services\Tools\nsppthlp.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -
http://updates.lifescapeinc.com/in [...] nstall.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
http://www.stopzilla.com/_download [...] dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/tec [...] mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/tec [...] veData.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/133e3d [...] xIE601.cab
O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam Control) -
http://www.forsythe.tzo.net:1080/XNC600NetCam.cab

> > ------------
> >
> > Dialer Object Recognized!
> > Type : RegValue
> > Data : Wildflics
> > Category : Dialer
> > Comment : ""
> > Rootkey : HKEY_USERS
> > Object :
> > .DEFAULT\software\microsoft\windows\currentversion\run
> > Value :
> >
> > Dialer Object Recognized!
> > Type : RegValue
> > Data : Wildflics
> > Category : Dialer
> > Comment : ""
> > Rootkey : HKEY_LOCAL_MACHINE
> > Object : software\microsoft\windows\currentversion\run
>

Archived from groups: microsoft.public.windowsme.general (More info?)

Lots of malware there most carrying the name Norton and Symantec none of
which works well on PC and perhaps not doing its job of keeping the system
clean. :-)

Moving on, I'm not sure why you have C:\WINDOWS\SYSTEM\WINOA386.MOD
running which will appear in Taskman as Winoldap, presumably you have some
old legacy DOS application running. If not be suspicious but I'm not sure
how it's being launched.

I don't like O4 - HKLM\..\Run: [TkBellExe]
:\WINDOWS\TEMP\~rnsetup\RNADMIN\realsched.exe -osboot and can only assume
that you ran HJT in the middle of an install as nothing should be running
from the Temp folder. Either that or you've installed RealPlayer to your
temp folder. This probably also relates to
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/133e3d [...] xIE601.cab

I can see nothing that I might identify as being a Wildflics dialler. Is
it possible that you have now cleaned this entry successfully? I can see
lots that I would personally prune or remove but nothing that I would
think would set alarm bells running that I haven't already mentioned.
--
Mike Maltby
mike.maltby@gmail.com


OM <Nomail@msn.com> wrote:

> Thanks Mike. Have done as you suggested and waiting for answers or
> suggestions from the BLOG.
> Would you have any any suggestions from my HijackThis log?? Would the
> startup information give any help?
>
> OM
> ------------
> Logfile of HijackThis v1.99.1
> Scan saved at 11:07:36 AM, on 7/13/2005
> Platform: Windows ME (Win9x 4.90.3000)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\WINDOWS\SYSTEM\KERNEL32.DLL
> C:\WINDOWS\SYSTEM\MSGSRV32.EXE
> C:\WINDOWS\SYSTEM\mmtask.tsk
> C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISSERV.EXE
> C:\WINDOWS\SYSTEM\MPREXE.EXE
> C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
> C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
> C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
> C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
> C:\WINDOWS\SYSTEM\MSTASK.EXE
> C:\WINDOWS\SYSTEM\STIMON.EXE
> C:\PROGRAM FILES\APC\APC POWERCHUTE PERSONAL EDITION\MAINSERV.EXE
> C:\WINDOWS\EXPLORER.EXE
> C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\NISUM.EXE
> C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\IAMAPP.EXE
> C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
> C:\PROGRAM FILES\NORTON INTERNET SECURITY FAMILY EDITION\ATRACK.EXE
> C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
> C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
> C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
> C:\WINDOWS\SYSTEM\INTERNAT.EXE
> C:\WINDOWS\SYSTEM\QTTASK.EXE
> C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
> C:\WINDOWS\SYSTEM\SYSTRAY.EXE
> C:\WINDOWS\TASKMON.EXE
> C:\WINDOWS\SYSTEM\WMIEXE.EXE
> C:\PROGRAM FILES\BESTPOPUPKILLER\BESTPOPUPKILLER.EXE
> C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
> C:\PROGRAM FILES\APC\APC POWERCHUTE PERSONAL EDITION\APCSYSTRAY.EXE
> C:\WINDOWS\SYSTEM\WINOA386.MOD
> C:\HJT\HIJACKTH.EXE
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.mchsi.com/hendersonville
> F1 - win.ini: run=hpfsched
> O2 - BHO: AcroIEHlprObj Class -
> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
> FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
> O2 - BHO: STOPzilla Browser Helper Object -
> {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
> C:\Program Files\Norton AntiVirus\NavShExt.dll
> O2 - BHO: Google Toolbar Helper -
> {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
> files\google\googletoolbar2.dll
> O3 - Toolbar: Norton AntiVirus -
> {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
> AntiVirus\NavShExt.dll
> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
> c:\program files\google\googletoolbar2.dll
> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
> C:\WINDOWS\SYSTEM\MSDXM.OCX
> O4 - HKLM\..\Run: [STOPzilla] "C:\Program
> Files\STOPzilla!\Stopzilla.exe" /autorun
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [GDRIVE] C:\IBMTOOLS\IBMBOOT\GDRIVE.EXE -N
> O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
> O4 - HKLM\..\Run: [internat.exe] internat.exe
> O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec
> Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
> O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton
> Utilities\NPROTECT.EXE O4 - HKLM\..\Run: [PCHealth]
> C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
> O4 - HKLM\..\Run: [QuickTime Task]
> "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
> O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
> O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common
> Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
> O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
> O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
> O4 - HKLM\..\Run: [TkBellExe]
> :\WINDOWS\TEMP\~rnsetup\RNADMIN\realsched.exe -osboot
> O4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE
> PLUS\AD-AWARE.EXE" +c
> O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
> C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
> O4 - HKLM\..\RunServices: [*StateMgr]
> C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices:
> [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
> O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common
> Files\Symantec Shared\ccEvtMgr.exe"
> O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common
> Files\Symantec Shared\ccSetMgr.exe"
> O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
> powrprof.dll,LoadCurrentPwrScheme
> O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
> Utilities\NPROTECT.EXE
> O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
> O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
> Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
> O4 - HKLM\..\RunServices: [StillImageMonitor]
> C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\RunServices: [APC_SERVICE]
> C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
> O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program
> Files\BestPopUpKiller\BestPopupKiller.exe /startup
> O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe
> /startup
> O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
> O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
> Office\Office10\OSA.EXE
> O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton
> Utilities\SYSDOC32.EXE
> O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
> Files\Adobe\Calibration\Adobe Gamma Loader.exe
> O4 - Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute
> Personal Edition\Display.exe
> O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program
> Files\NetShow Services\Tools\nsppthlp.exe
> O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
> O8 - Extra context menu item: Cached Snapshot of Page -
> res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
> O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
> O8 - Extra context menu item: Backward Links - res://C:\PROGRAM
> FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
> O8 - Extra context menu item: Translate into English -
> res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
> O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
> O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) -
> http://updates.lifescapeinc.com/in [...] nstall.cab
> O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
> http://www.stopzilla.com/_download [...] dwnldr.cab
> O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
> Class) -
> https://www-secure.symantec.com/tec [...] mAData.cab
> O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
> Class) -
> https://www-secure.symantec.com/tec [...] veData.cab
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> http://software-dl.real.com/133e3d [...] xIE601.cab
> O16 - DPF: {0957C19A-D854-482A-A4F9-18856C723D7D} (XNC600NetCam
> Control) - http://www.forsythe.tzo.net:1080/XNC600NetCam.cab

Archived from groups: microsoft.public.windowsme.general (More info?)

"Mike M" <No_Spam@Corned_Beef.Only> wrote in message
news:#$bEw#9hFHA.572@TK2MSFTNGP15.phx.gbl...


Re: "clear your Temp folder and Temporary Internet Files and then run
hijackthis.exe"

Mike - Before running HijackThis, I cleared the c:\temp folder & the
C:\windows\Temporary Internet Files folder.
Should I have also cleared the contents out of these other TEMP folders
before running HijackThis?

OM

*** TEMP FOLDERS on my system ***
C:\temp
C:\WINDOWS\Temporary Internet Files

C:\_RESTORE\TEMP
C:\WINDOWS\TEMP
C:\WINDOWS\SYSTEM\URTTemp
C:\WINDOWS\PCHEALTH\SUPPORT\Temp
C:\WINDOWS\PCHEALTH\HELPCTR\Temp
C:\WINDOWS\TEMP\~msetup\TEMP
C:\WINDOWS\Application Data\Symantec\Norton AntiVirus\Temp
C:\WINDOWS\assembly\temp


> Lots of malware there most carrying the name Norton and Symantec none of
> which works well on PC and perhaps not doing its job of keeping the system
> clean. :-)

What's your suggestion for better protection? I also use the Linksys Router
for its firewall. Does a nice job of keeping the Trojans out.

> Moving on, I'm not sure why you have C:\WINDOWS\SYSTEM\WINOA386.MOD
> running which will appear in Taskman as Winoldap, presumably you have some
> old legacy DOS application running. If not be suspicious but I'm not sure
> how it's being launched.

Is there a safe way to take this out and put it back in, if needed? I run
grep and brief in DOS to edit and search various text (radio log) files. Old
habits are hard to break.

> I don't like O4 - HKLM\..\Run: [TkBellExe]
> :\WINDOWS\TEMP\~rnsetup\RNADMIN\realsched.exe -osboot and can only assume
> that you ran HJT in the middle of an install as nothing should be running
> from the Temp folder. Either that or you've installed RealPlayer to your
> temp folder. This probably also relates to
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
> http://software-dl.real.com/133e3d [...] xIE601.cab

Still looking into this one.

OM

Archived from groups: microsoft.public.windowsme.general (More info?)

By default the windows and user temp folder is C:\Windows\Temp. It
appears that you have both this folder and also a C:\Temp, presumably
created by some application you have installed or by yourself if you chose
to alter the default. I would certainly clear the C:\Windows\Temp folder
although it does appear that you have at least one application (part of
real player) running in this folder which is not advisable.

You can safely ignore C:\_RESTORE\TEMP (part of system restore and cannot
be emptied when windows is running), C:\WINDOWS\PCHEALTH\SUPPORT\Temp,
C:\WINDOWS\PCHEALTH\HELPCTR\Temp and C:\WINDOWS\Application
Data\Symantec\Norton AntiVirus\Temp

C:\WINDOWS\SYSTEM\URTTemp and C:\WINDOWS\assembly\temp are both used by
the .NET Framework and would suggest you leave them untouched.

There's no need to worry about C:\WINDOWS\SYSTEM\WINOA386.MOD as long as
you know why it is being launched. It isn't being launched when you boot
Win Me but rather when you first use one of your older apps.

As for a possible alternative to Norton, well the choice is wide, with
virtually any product being better with possibilities ranging from the
free AVG AV application through the likes of AVAST, Computer Associates
ETrust and Panda to NOD32 and Kaspersky. Which depends on the depth of
your pocket. Personally I mainly use eTrust (currently free for the first
year), AVG where the user doesn't want to pay and NOD32 or Kaspersky where
they don't mind paying for peace of mind.
--
Mike Maltby
mike.maltby@gmail.com


OM <Nomail@msn.com> wrote:

> "Mike M" <No_Spam@Corned_Beef.Only> wrote in message
> news:#$bEw#9hFHA.572@TK2MSFTNGP15.phx.gbl...
>
>
> Re: "clear your Temp folder and Temporary Internet Files and then run
> hijackthis.exe"
>
> Mike - Before running HijackThis, I cleared the c:\temp folder & the
> C:\windows\Temporary Internet Files folder.
> Should I have also cleared the contents out of these other TEMP
> folders before running HijackThis?
>
> OM
>
> *** TEMP FOLDERS on my system ***
> C:\temp
> C:\WINDOWS\Temporary Internet Files
>
> C:\_RESTORE\TEMP
> C:\WINDOWS\TEMP
> C:\WINDOWS\SYSTEM\URTTemp
> C:\WINDOWS\PCHEALTH\SUPPORT\Temp
> C:\WINDOWS\PCHEALTH\HELPCTR\Temp
> C:\WINDOWS\TEMP\~msetup\TEMP
> C:\WINDOWS\Application Data\Symantec\Norton AntiVirus\Temp
> C:\WINDOWS\assembly\temp
>
>
>> Lots of malware there most carrying the name Norton and Symantec
>> none of which works well on PC and perhaps not doing its job of
>> keeping the system clean. :-)
>
> What's your suggestion for better protection? I also use the Linksys
> Router for its firewall. Does a nice job of keeping the Trojans out.
>
>> Moving on, I'm not sure why you have C:\WINDOWS\SYSTEM\WINOA386.MOD
>> running which will appear in Taskman as Winoldap, presumably you
>> have some old legacy DOS application running. If not be suspicious
>> but I'm not sure how it's being launched.
>
> Is there a safe way to take this out and put it back in, if needed? I
> run grep and brief in DOS to edit and search various text (radio log)
> files. Old habits are hard to break.
>
>> I don't like O4 - HKLM\..\Run: [TkBellExe]
>> :\WINDOWS\TEMP\~rnsetup\RNADMIN\realsched.exe -osboot and can only
>> assume that you ran HJT in the middle of an install as nothing
>> should be running from the Temp folder. Either that or you've
>> installed RealPlayer to your temp folder. This probably also relates
>> to
>> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
>> http://software-dl.real.com/133e3d [...] xIE601.cab
>
> Still looking into this one.
>
> OM

Archived from groups: microsoft.public.windowsme.general (More info?)

Forget the forehead - most people see other parts of their anatomy more
often!
<VBEG>

--
Noel Paton (MS-MVP 2002-2005, Windows)

Nil Carborundum Illegitemi
http://www.btinternet.com/~winnoel/millsrpch.htm

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's

"Shane" <shanebeatson@gmail.com> wrote in message
news:%23fP99X4hFHA.1464@TK2MSFTNGP14.phx.gbl...
>> Don't click on or download files unless you know you want them and the
>> consequences of doing so.
>
> That's concise, Mike! That should perhaps be tattooed on people's
> foreheads when they buy their first computer!
>
>
> Shane
>

Archived from groups: microsoft.public.windowsme.general (More info?)

"Noel Paton" <NoelDPspamless@btopenworld.com> wrote in message
news:e5Soc1JiFHA.3436@tk2msftngp13.phx.gbl...
> Forget the forehead - most people see other parts of their anatomy more
> often!
> <VBEG>
>
> --
> Noel Paton (MS-MVP 2002-2005, Windows)
>
> Nil Carborundum Illegitemi
> http://www.btinternet.com/~winnoel/millsrpch.htm
>
> http://tinyurl.com/6oztj
>
> Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
>
> "Shane" <shanebeatson@gmail.com> wrote in message
> news:%23fP99X4hFHA.1464@TK2MSFTNGP14.phx.gbl...
> >> Don't click on or download files unless you know you want them and the
> >> consequences of doing so.
> >
> > That's concise, Mike! That should perhaps be tattooed on people's
> > foreheads when they buy their first computer!
> >
> >
> > Shane

Gee - that's real helpful. OM

Archived from groups: microsoft.public.windowsme.general (More info?)

"OM" <Nomail@msn.com> wrote in message
news:e1yBe.153339$_o.38495@attbi_s71...
>
> "Noel Paton" <NoelDPspamless@btopenworld.com> wrote in message
> news:e5Soc1JiFHA.3436@tk2msftngp13.phx.gbl...
>> Forget the forehead - most people see other parts of their anatomy more
>> often!
>> <VBEG>
>>
>> --
>> Noel Paton (MS-MVP 2002-2005, Windows)
>>
>> Nil Carborundum Illegitemi
>> http://www.btinternet.com/~winnoel/millsrpch.htm
>>
>> http://tinyurl.com/6oztj
>>
>> Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
>>
>> "Shane" <shanebeatson@gmail.com> wrote in message
>> news:%23fP99X4hFHA.1464@TK2MSFTNGP14.phx.gbl...
>> >> Don't click on or download files unless you know you want them and the
>> >> consequences of doing so.
>> >
>> > That's concise, Mike! That should perhaps be tattooed on people's
>> > foreheads when they buy their first computer!
>> >
>> >
>> > Shane
>
> Gee - that's real helpful. OM
>

Gee - you already got helped, didn't you? Or do you own this thread?


Shane