I have Avast 4 home edition for Windows 98 SE in Italian edition. I will translate from Italian to English the warnings received.
FOUND MALWARE
file name : C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE[UPX]
Malware name :Win32:Dialer - 1154 [trj]
VPS version 0800208-0, 08/02/2008

For all the possible actions : “Move/Change name”, " delete" and " move to the trash" I received the same answer
Avast File not compressed
it is not possible to process the file: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE[UPX].

So the only thing that I could do is to click on the OK tab.
I have non been able to find that file in the indicated directory.

Sometime this malware modifies the starting pages of the Internet Option, with an address that changes every time.

You have one of three or four possible malwares. To determine which one it is and thereby the cure I would like you to run this analysis programme

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

I have followed your mail .The file dss.exe is on the desktop but I am non able to start it neither with the double click, neither using the right click and then “open”. I have tried also with the “Start” on the Taskbar and the “RUN” of the file DSS.exe. I have also paused the Provider " Standard Protection" thinking that it was necessary to run DSS.
Nothing. The Malware has the same name, but change the directory.
The last two warnings are
2/9/08 5:53 PM
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EJOPN1QO\2026[1].EXE[UPX]
2/9/08 6:01 PM
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE[UPX]
Attached are what appears on my computer

OK lets try a quick and dirty scan to see what I can glean from that

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

I have done what you suggested me. The log file is pasted below.
Anyhow I have send to support@avast.com a complete report of what happena when the Malware starts and what are the answers from AVAST when I use any of the actiona that AVAST suggest me to do.

If you want I can sent also this to you , together with the screenshot saved in a file .htm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.27.19, on 12/02/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMI\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\CHTVINIT.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMMI\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAMMI\FILE COMUNI\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAMMI\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\E_S6I0A1.EXE
C:\IMAGEMATE COMPACTFLASH USB\SANDICON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAMMI\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastweb.it/portale/?benvenuto=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAMMI\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAMMI\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [IrMon] IrMon.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [CHotKey] mHotkey.exe
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM..\Run: [ChrontelInitTV] CHTVINIT.EXE
O4 - HKLM..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM..\Run: [internat.exe] internat.exe
O4 - HKLM..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM..\Run: [CreateCD50] “C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe” -r
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\SYSTEM\E_S6I0A1.EXE /P23 “EPSON Stylus D68 Series” /O5 “LPT1:” /M “Stylus D68”
O4 - HKLM..\Run: [Device Detector] DEVDETECT.EXE -autorun
O4 - HKLM..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [SETUP98] C:\WINDOWS\98SETUP.EXE
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [wimsnn] Wscript C:\WINDOWS\LICENSEMSE.VBS /B
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [ALU Scheduler Service] C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM..\RunServices: [avast!] C:\Programmi\Alwil Software\Avast4\ashServ.exe
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE (User ‘Default user’)
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = fastweb.it
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 213.156.54.80,213.156.54.81

–
End of file - 5338 bytes

hmm…does ChronitelInitTV mean anything to you? If it doesn’t then C:\WINDOWS\SYSTEM\CHTVINIT.EXE might be bad. The only odd ball file that sticks out is O4 - HKLM..\Run: [wimsnn] Wscript C:\WINDOWS\LICENSEMSE.VBS /B and from my google searches it is hard to tell what this is. See if you can answer my questions and wait for an admin to help you out more

Hi there nothing evident from the log so I will take a two prong approach here

FIRST

Download and run crapcleaner slim from here to clear your temp files http://www.majorgeeks.com/downloadget.php?id=4191&file=10&evp=a12d758b021af1a4f0a6bfe45b0c7a82

THEN

Download and then run SuperAntispyware

[*]On the first page select Check for Updates
[*]On completion select SCAN YOUR COMPUTER
[*]On the next page select COMPLETE SCAN and tick ALL your drives
[*]The next stage will take a while as your entire drive(s), memory and registry are scanned
[*]When it has completed click NEXT
[*]The next screen shows the problems found click OK
[*]On the next screen place a tick against all items and select NEXT
[*]Now to get the log Go to the PREFERENCES button on the right bottom
[*]Select the STATISTICS/LOG tab
[*]Highlight the scan just completed and click VIEW LOG
[*]This will open a notepad text file copy and paste this to your next reply

If you could post the superantispyware log on completion - both programmes work on win98

I run Ccleaner that I have installed following your suggestions.
The log file it is very long. If you want I can send to you.
I have also installed SuperAntiSpyware and the log file is pasted below.

The virus is till here, in this session it started twice.
I want to know if I can install SpyWare Doctor 4.1 from Pctools ( freeware) and if I have to uninstall Vast and after reinstall It again!

Moreover there is the Virus Cleaner from Avast. I do not know if this software can run on Windows 98, and if can run without uninstalling Avast, and if it can find an delete my Virus.

I can send to you a file with a complete description and an attach file where you can see what are the winnows that appears , when the virus start and Avast detect it.
Let me Know

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/19/2008 at 05:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3405
Trace Rules Database Version: 1397

Scan type : Complete Scan
Total Scan Time : 01:06:59

Memory items scanned : 219
Memory threats detected : 0
Registry items scanned : 2572
Registry threats detected : 0
File items scanned : 33264
File threats detected : 6

Adware.Tracking Cookie
C:\WINDOWS\Profiles\io\Cookies\io@cgi-bin[1].txt
C:\WINDOWS\Profiles\io\Cookies\io@mediaplex[1].txt
C:\WINDOWS\Profiles\io\Cookies\io@cgi-bin[2].txt
C:\WINDOWS\Profiles\io\Cookies\io@tribalfusion[1].txt
C:\WINDOWS\Profiles\io\Cookies\io@statse.webtrendslive[2].txt
C:\WINDOWS\Profiles\io\Cookies\io@www.banneradmin.rai[1].txt

I can post ( oe send where??) a complete report of what happens when the Malware starts and what are the answers from AVAST when I use any of the actions that AVAST suggest me to do, together with 4 screenshots saved in a zip file
Thanks

Could you send me the file please. I will PM my e-mail address

This is the report and attached there is the zip File.

I have already sent on 10 February 2008 this mail, written in Italian, to support@avast.com.
Now I am sending in English language, hoping to have an answer.
I cannot send the file that contains the Virus, because the Avast 4 home edition for Windows 98 SE.
is able to detect the virus, but is unable to perform any suggested action on it, as you can see from the following. Moreover when I start the scan of the system with Avast, this Virus is not detected!. If I make a search of the infected file, it does not exists!. For this I cannot mail it to virus@avast.com.
I would like to know if I can run the free Avast virus Cleaner on my Windows 98 SE and if this can solve the problem

REQUESTED INFO:

OPERATING SYSTEM: WINDOWS 98 SE
AVAST VERSION: 4 home edition version 4-7-1098 (for Windows 98)
VPS file 080218-0 18/02/2008
HARDWARE:
Intel Pentium III 850 MHz, 256 MB RAM
INTERNET CONNECTION:
provider (FASTWEB) with Optic Fiber with LAN port
EMAIL Program
Netscape V. 4.77
SECURITY SOFTWARE
Avast 4 home edition for Windows 98 SE.

ERROR MESSAGES
Avast send me an error that says:
FOUND MALWARE
file name : C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE[UPX]
Malware name :Win32:Dialer - 1154 [trj]
see FIG 1 in file SCREEN_SHOTS.zip attached
Whatever action I perform “move/rename”, or “Delete” or “Move to the Chest” I received the same answer
Avast File not compressed
it is not possible to process the file: C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GDYB0DIJ\2026[1].EXE[UPX].
see FIG 2 in file SCREEN_SHOTS.zip attached

At this point I can only click on the “OK” tab and continue.

The malware does non appear again, unless I start a connection to Internet.
The type of virus is always the same, the only change is the directory where Avast find it.: For example another directory is this:
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\EJOPN1QO\2026[1].EXE[UPX]
I will add other two information: Together with the Avast alarm, it appears always a pop by the BASE ACTIVITIES LIMITED
see FIG 3in file SCREEN_SHOTS.zip attached
I have been also to see the Certification of this BASE ACTIVITIES LIMITED and appears the information
see FIG4 in file SCREEN_SHOTS.zip attached
During this session, the virus has been detected from Avast and I went to see the temporary Internet Files created at the moment in the same directory of Temporary Files. where today Avast found the virus.
This are this files that could be suspected.

C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\sabupdate[1].html
C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\ script-60[1].php
C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\ track2[1].php
C:\WINDOWS\Temporary Internet Files\Content.IE5\C161UV6L\ winscript-57[1].htm

Hi angeaa 98 is a hard thing to find programmes for but this should work

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
[*]Check the box that says Scan All User Accounts
[*]Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
[]Under Additional Scans check the following:
[]Reg - BotCheck
[]File - Additional Folder Scans
[]File - Purity Scan

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
[*]Click Add Reply
[*]Under the reply panel is the Attachments Panel
[*]Browse for the attachment file you want to upload, then click the green Upload button
[*]Once it has uploaded, click the Manage Current Attachments drop down box
[*]Click on
http://www.geekstogo.com/forum/style_images/11168623649/folder_attach_images/attach_add.png
to insert the attachment into your post

First of all:
The WinPFind35u.exe cannot run on Windows 98. At the starting I received an error that says that cannot run on versions of Windows, prior of NT version!.

Second
I hope that you received the mail that I sent you, after my last post . It contains same info of the Post.
.

Third
Yesterday afternoon, Avast was able to find the virus as usual when the Virus starts. But
clicking on “Move to the Chest” this time it worked. The file was really moved to the Chest. Then I found the virus in the Chest. Before to cancel I try to send the file with the Virus to Avast, as suggested. But the system was blocked.
Then I started again and this time I was able to send the virus, but there was a problem with the mail, and I closed without being able to really send the mail.

In the evening I started the Avast Scan with maximum protection, and there was not found any virus.
Today I am not able to see the result of that scan!
Could be Avast corrupted!?. In fact yesterday evening Avast disappeared from the taskbar on the bottom.

Today I found the mail that was not sent, and after a series of trouble, I was able to send this mail to Avast::.

:CHEST_ANALYZE:<<

Virus name: Win32:Dialer-1154 [trj]
Original file location: C:\WINDOWS\TEMPORARY INTERNET
FILES\CONTENT.IE5\C161UV6L\2026[1].EXE
Computer name: IO
Transfer time: 21.02.2008 17:24:42
Modification time: 21.02.2008 15:22:38
Total size: 21840
Comment:

File ID: 5
Category: 1
OS:
Microsoft Windows 98 SE

When I open again Windows, the virus was still there. and the IEXPLORE was blocked… Then I opened the Chest and was able to cancel the file.
I was happy, but restarting Window the Virus is more alive then before!
I have not received any answer to mails sent to SUPPORT@avast.com and VIRUS@avast.com
.
I have clicked also to “virus Archive”, and found 4 virus named “2026”, . but I do not know what else I can do.
I want to know if I can install SpyWare Doctor 4.1 from Pctools ( freeware) and if I have to uninstall Vast and after reinstall It again! Or if I can use Virus Cleaner from Avast, together with Avast antivirus

Post Scriptum

If I click on replay I have:

Attach: (more attachments)
Allowed file types: txt, jpg, gif, png, log
Maximum attachment size allowed: 200 KB, per post: 4[/font][/font]

So It seems different from what you write, but it seems that the attach work, unless there is a different way.

Hi angeaa Yep I received your mail Thanks. Download the pc tools as that appears to work with 98

What I really need to do is find the driver/initiator for the malware because until that is removed then no matter how often you put the alerted file in quarantine it will still re-appear

Lets try another of my analysis tools - this one does not say whether or not it works in 98 but then it does not say that it will not…

The zip files from this programme will need to be mailed to me as the forum will not accept them as attachments

We will now do a deep search of your processes and files

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.

When restarted

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Thanks for the files angeaa. A thorough search has only brought up one unknown from which after 20 pages of google comes up unknown. So I will quarantine that and see if that is the culprit

AVZ FIX

[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DeleteFile('C:\WINDOWS\SYSTEM\CHTVINIT.EXE');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

[*] Note: When you run the script, your PC will be restarted
[*] Click Run
[*] Restart your PC if it doesn't do it automatically.

ON COMPLETION

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach the zip file to your next post

Yes it is a Russian programme and I think it has links with Kasperski. There is an English forum now. When you run it after the fix can you check you D drive as well ta

English forum here http://virusinfo.info/showthread.php?t=9184
I really must learn Italian or portugese as that is where most of my searches have lead me, and I am not overly confident with Googles translation ability

What I intend doing now is remove from start items where I can only get vague information and run a trial and error analysis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [wimsnn] Wscript C:\WINDOWS\LICENSEMSE.VBS /B
O4 - HKLM..\Run: [SETUP98] C:\WINDOWS\98SETUP.EXE

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

ALSO

As I have not been able to find a deep scanner for 98 could you see whether you have any of these folders under Program Files
%Program Files%\0190 Warner
%Program Files%\a2
%Program Files%\Coolspot\Dialer Control
%Program Files%\Popupkiller
%Program Files%\MicroSoft AntiSpyware

Or either of these two drivers
%System%\DRIVERS\vmx_svga.sys
%System%\DRIVERS\vpc-s3.sys

Also do you know what this programme is on your D drive
ZZPC_info\PC_profess

Lots of questions I am afraid

When I clicked on Fix Checked the HiJackThis window remained white, then I close it. So I do not know what happened, The only thing is that in the past I received some warning about the file LICENSEMSE.VBS /B, but at the end no more. I do not know why.
About the files to check, the first seven are not present in all the C disk, where are all the programs installed.
The Files ZZPC_info\PC_profess are some files taken I think from a CD bought together with an Italian magazine called PC professional.
I can delete them without problem.
I have also the log file created by HiJackThis, but you do not asked me to send.
If you want I will send it.

For the English forum http://virusinfo.info/showthread.php?t=9184 I gave a look. Do you have some suggestions for me, about what to see?. But thinking about Italian and Portuguese sites that you mention, I started to make a search using Goggle , and I have found a lot of things that I didn’t know. Anyhow if I find something about the virus Win32:Dialer - 1154 [trj] I will sent to you.

Hi Angeaa If you could post the log - I would like to run silent runners now as that will work on 98. It will be a long report so could you attach it to your post

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.

The virus doesn’t appear more. I have a doubt about what canceled it. In fact on 24/February I repeated the instructions of your Post Reply #13 on: February 23, 2008, 02:49:55 PM » running of the script and “Advanced System Investigation" on both the disk “C” and “D”., as written in my mail of 24 February.

After that the virus didn’t appeared. I run soon after HiJackThis and the Fix Checked. as in your Reply #15 on: February 24, 2008
So I do not know if is the AVZ run or the HiJackThis and the Fix Checked. that stopped the virus.

Now I do not know what to do. Is better to run the Silent Runner, as your last Post or not?. Anyhow I will perform a complete scan with AVAST.
I would like to know if using Ccleaner is a good idea, because I ran it but only on few items, because I do not know how to restore files that are cancelled , but the system needs that files.
There are some executable installed that I do not see on Control Panel \ Application-installation, For this I am not confident to remove them without risk some system problem.
Because Ccleaner can see them, may I use CCleaner to de-install them safely?
Thanks for all your help

Yes Crapcleaner makes backups of all that is deleted within the CC folder. If I could have the silent runner just to be sure… But it looks like it was on your D drive and AVZ killed it ;D