Hello, this is my first time posting here so off we go…

Systems specs are:

Windows ME
Intel Pentium 3 processor 384 MB RAM, 877 mhz (I think)
Internet connection is 56K dial up modem
Firewall is with ZoneAlarm
I have Avast version 4.6 Professional and have all the latest virus definitions.

I first located this virus: Win32: Trojan-gen. (Other)
This was located in C:\RESTORE\TEMP and was located by Avast. I attempted to repair this virus at first with Avast and could not, so I have moved it to the chest.

2nd virus I located was this:

C:_RESTORE\TEMP\A01044909.CPY is infected with Adware.eAnthology. This virus was located by Norton/Symantec online scanner today.

I have followed the steps listed and done the follwing:

1. Disabled system restore
2. Unsure of what to disable in task manager, as I am not sure what processes are harmful as yet
3. Firewall is already installed–ZoneAlarm Pro. I do not have a router at this time.
4. I have scanned my system with Avast and found the previous mentioned Win32 virus and have also scanned my system with Norton’s antivirus system, which did not find anything.
5. I downloaded Ad-Aware and ran full scan with any listed items being quarantine.
6. Ran a full Spybot scan
7. Downloaded Hijack This and received the following log:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:04 PM, on 3/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MSNDELL\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluesnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU..\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: FreedomAudio - http://download.worldchessnetwork.com/freedomaudio/freedominstaller.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nbc.educorp.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.182,192.168.1.181

Can someone please help and advise on what else I need to include? I have also downloaded all Windows patches today along with rebooting.

Thanks

Edited:

Sorry, I did not notice that you’ve already disabled the system restore…

Are you clean now or not?
Can you perform another scan (maybe booting in safe mode, pressing F8 while booting) and if your system is clean?

I see norton and avast which is not good . pick one and dump norton then go herehttp://hijackthis.de/index.php?langselect=english and load your log ,then ‘fix’ those entries in red and post another log.

For help with HijackThis, click on the link inmy signature and visit the HJT section. It has all you need (to know)

Sorry for the lateness in the reply. My computer is doing weird things which I will attempt to now describe. Advice given to this point has been greatly appreciated and any further advice given will be equally received. Here goes…

After performing all the actions given as far as disabling system restore, downloading Avast, etc. I turned system restore back on and ran another Avast scan, which turned up no viruses. My new troubles, however, appear to be somewhat related.

Whenever I attempt to access the Internet via Internet Explorer, I see a screen that says, “Avast” with an indication of a script blocker being engaged. Immediately after that point, my computer locks up, in which I have to restart/reboot it.

After rebooting, the computer goes through all its usual scans, hardware specs listing, Windows splash page, etc. and then comes to the “Active Desktop Recovery” screen with gray box prompt asking if I want to go back to my previous desktop image/background. I click yes, and all seems well.

Attempting to get back onto IE, it locks again ???. I proceed with another reboot. This happens several times. I then have the idea that perhaps I can disable script blocking in Avast, and proceed to do this. No such luck. I now have to completely disable Avast in order to access the Internet via IE.

In addition to this problem, which I had thougt was solved I now have a new one, and seemingly more serious. Yesterday morning I ran SpyBot, AdAware and Avast Antivirus at the same time to see if any viruses remained. SpyBot completed, but AdAware locked up, as indicated when I did CTRL ALT DEL and the task manager stated, “Not responding”. Reboot again

After rebooting, I get back to the active desktop recovery screen, attempt to left click, and lo and behold, it doesn’t minimize ???. I can now only right click icons along with using the keyboard to bring options up, i.e. using keyboard to log onto Internet, but my mouse seemingly has died. Or so I hope, pending a more serious problem, which I fear is the case. I have cleaned the mouse and plugged it back in, but no luck. I am hoping that replacing the mouse will help me sort it out.

Barring that minor miracle, does anyone have any idea on what I should do?

Thanks

Dondasch, are you sure when talking about ‘script blocker’, won’t you say ‘WebShield’ provider?
Are you using Windows 98 or Me?
Can you get a full scanning with avast?
It seems that your problem is not ‘that’ serious, be calm, maybe just Windows Me inconsistences of shutdown and boot…

I have not noticed anything referring to a “Webshield” provider, and I am mostly sure that it does say script blocker (still unable to verify at this point due to non working mouse). I am currently using Windows ME which I have been told is notoriously unstable and that I should upgrade to Windows 2000 Pro.

I can get a full scan with Avast, and was clean the last time I ran it, if I recall correctly. Please let me know what else I need to provide. Going to try replacing the mouse to see if that is a partial problem solver.

Well, on a minor victory note, I replaced the mouse and can now amazingly close and open windows and such! ;D

Stemming my previous enthusiasm however, is the continued problems with Internet Explorer locking up on me after I log onto the Internet. The time period for the lock up can be almost immediately upon trying to open IE or later on down the road.

As far as I can tell, my system is clean. I am however, including a hijack this log ran today.

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:19:58 AM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MSNDELL\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluesnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU..\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: FreedomAudio - http://download.worldchessnetwork.com/freedomaudio/freedominstaller.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nbc.educorp.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.182,192.168.1.181

I am also encountering the following problem after IE locks up:

1. I restart the PC
2. I receive an IE Script Error stating: An error has occurred in the script on this page.
   Line: 64
   Char: 1
   Error: ‘suih’ is undefined
   Code: 0
   URL: file://C:\WINDOWS\Application Data\Microsoft\InternetExplorer\Desktop.htt

Do you want to continue running scripts with this page? Yes/No. I choose Yes

I also attempt to download Avast’s! updates but get the following:

Cannot connect to download7.avast.com
(unknown:80)
-you are not connected to the Internet. Yes, I am:)
-your firewall does not allow the program “avast.setup” to access the internet; you can find details in help or read the FAQ section on avast! website. Need help with this please
-your HTTP proxy settings are incorrect. Huh?
-the server is inaccessible because of a network error or maintenance

I really, really need help here. I see a lot of viewings but no feedback:( David, someone, anyone?..

Thanks

Hi

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: FreedomAudio - http://download.worldchessnetwork.com/freedomaudio/freedominstaller.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime

Then run CWshredder: http://cwshredder.net/bin/CWShredder.exe

Then update and re-run Ad-aware and Spybot.

Then do a boot time scan with avast (Open avast > menu (top left hand corner) > Boot time scan)

Then make sure this folder is gone “C:\Program Files\MyWebSearch”, if its still there delete it.

The run ccleaner: http://www.filehippo.com/download/QSzoqmOGTJoWn6Eo8hUL4Q2/download.html

About the script error, your not still runnnig IE 5.5 are you?, if so update to IE 6.

Also see here: http://support.microsoft.com/?scid=http://support.microsoft.com%2Fservicedesks%2Fbin%2Fkbsearch.asp%3Farticle%3D301701

About the update:

your firewall does not allow the program "avast.setup" to access the internet; you can find details in help or read the FAQ section on avast! website. Need help with this please

What firewall do you use?

–lee

To start off, here is my newest hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:58:02 PM, on 3/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\PROGRAM FILES\MSNDELL\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\WUAUBOOT.EXE
C:\PROGRAM FILES\CCLEANER\CCLEANER.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluesnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU..\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nbc.educorp.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.182,192.168.1.181

I removed all the items that you said were harmful or a security risk Lee, and I also removed the one that was indicated as not being necessary to run at boot time.

Ran the CWShredder, updated and re-ran AdAware and SpyBot. I am unable to run the boot time scan with Avast because when I bring up the menu the selection for that option is “grayed out” as if I can’t use it. Do I need to re-download Avast on the chance the version I have might be corrupted in some way?

I deleted several files that had MyWebSearch in them, except for one file which is the following:

C:\Program Files\MyWebSearch

When I try to delete this either manually or using filehippo I get the following error message:

Cannot delete F3REPROX: Access is denied. The source file may be in use.

Any ideas on what that may be about?

HijackThis seems to be under the impression that I am running IE 6 from what I see. The firewall I am using is ZoneAlarm.

Much appreciation on what you can come up with.

Thanks,

Hi,
here’s an analysis:

http://hijackthis.de/logfiles/b4571c99bda8e940a656273d64eef87c.html

this KB891711.EXE is very suspicious to me: if it remins after a reboot: FIX it

also you shoudl decide whetehr you want either avast or symantec/NAV: keep just one, remove the other

Hi Whocares,

KB891711.EXE is part of windows. (recent Update from microsoft for win9x/ME)

See here for more info: http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

–lee

Lee and WhoCares, thank you both for helping me out on the KB891711.EXE file

Are there any ideas on Avast being unable to connect to serer for updates. Firewall issue? or on the MyWebSearch file deletion error?

Most probably! Basically, check:

1. If your subscription allows the update right now (i.e., if it is not expired).

2. Check you firewall settings and allow avast.setup to connect.
   If you’re not sure, just turn off your firewall (to be sure the update failure is not due to it)

3. Check your proxy settings into avast!:
   Left click the avast icon > Settings
   Update (Basic) > Details > Proxy

   Make sure your browser is not set to “Work Offline” (this option is generally in the File menu). If it doesn’t help, try switching the proxy settings from “Auto-detect” to “No proxy” (I’m assuming you’re not connecting to the Internet via proxy).

After meddling about for the longest time with ZoneAlarm, I seem to have finally hit upon the right combination in order to update Avast. I have ran through 2 updates to be certain everything has been updated to the most current settings and they appear to be.

As usual, with something of this nature, I have additional questions:)

Firstly, after removing Norton Antivirus as per previous requests I notice that ZoneAlarm now says that there is no antivirus running on my computer that ZoneAlarm can detect. Is this normal in that ZoneAlarm cannot detect Avast? If this is not normal, how can I “add” Avast to ZoneAlarm’s monitoring system in order to notify for updates and just generally have a backup in place.

Secondly, when I log onto the Internet I just now noticed the following:

New Network
IP/Address Site: 4.0.0.0/255.0.0.0
Entry Type: Network
Zone: Internet

I mention this because I have not noticed this notification in the firewall tab of my ZoneAlarm before. I only had two listings there previously and today, as I was meandering around I find this one. Is my computer being used in a manner which I am unaware, i.e. being used to spam or being taken over by another person? Please advise on this.

Thanks in advance. Any ideas on the MyWebSearch error deletion ?

it is normal for ZA not to recognise Avast so thats just something you will have to live with.Im surprised that it recognised NAV as it has been widely thought of as a message tied to thier own anti-virus package excusively.
Make sure your registry gets a good cleanup after removing NAV as it always leaves a lot of rubbish.
If you really need a backup scanner you can try Bit Defender (as it has no constant monitoring)or an online scanner used occasionally perhaps.
The new network one is a bit puzzling to me .Is it a message from ZA or Int Explorer?
Most important thing to watch if you suspect foul play is to ensure no program has server rightsThis is reasonably easy to confirm. Once that is in place you are safe from that type of exploitation.
As for the MY WEB SEARCH issues, I suggest you paste another HJT log and give us a look at where your`e at .

From what I recall, I didn’t receive any messages from ZoneAlarm or from Internet Explore about the new network I mentioned earlier. When I first boot up and look at ZoneAlarm, it isn’t there but the moment I log onto the Internet, it shows up but says I cannot remove it. Don’t recall the exact message, will have to write it down.

Regarding server rights, how can I ensure that no program has that? I assume I can look through ZoneAlarms program controls and check for that? How can I confirm that this is not the case?

Also, do you know some good registry cleaners to get rid of the Norton rubbish?

Thanks,

On program tab of ZA there are two columns. One for internet access and other for server rights.
Try ZA settings… I do not use ZA anymore but if I remember correctly it’s not difficult to find…

On avast External Control (click Control in my signature to download) you could find a Norton removal tool.
But, first, browse the Symantec site for the ‘official’ one and only running it, use AEC.

Hi all,

Just going to post the hijack this log for this particular moment:

Logfile of HijackThis v1.99.1
Scan saved at 9:27:25 PM, on 3/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\MSNDELL\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bluesnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [eMailEncryption] C:\PROGRA~1\ACCELE~1\VELOZD~1\VELOZSYS.EXE runstart
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU..\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O4 - HKCU..\Run: [Spyware Doctor] “C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE” /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Dell Home - {63D9F689-FA15-4ECF-91BC-C4D0734E14EA} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = nbc.educorp.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.182,192.168.1.181

Any ideas on what looks suspicious and needs to be removed? I have recently downloaded a registry clearner and spyware doctor from pcworld.com. Completely unsure if this is needed since I already have Ccleaner, AdAware, Spybot and Avast. Can someone advise on if I should delete those and can anyone advise on a free registry cleaner? I think I really need one.

Thanks,

Look at my website “How to completely remove Norton”.

Look at this topic: http://forum.avast.com/index.php?topic=10623.0

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hkcu\software\microsoft\internet explorer\searchurl
o9 - extra button: dell home - {63d9f689-fa15-4ecf-91bc-c4d0734e14ea} - http://www.dellnet.com (file missing) (hkcu)