Hello...I'm new to this forum and a total non-techie so please keep that in mind when/if you reply to my questions...thanks;)

I actually have several different problems, but I'm using windows me OS so I thought I'd post here and hopefully get help from someone knowledgable in all aspects of windows me;)

I have multiple error messages that pop-up each time I re-boot or power-up my PC as a result of a trojan hores I think is disabled-but I have not been able to find the files to get rid of then and the error messages---I also have problems with my soundcard-when I try to use my realjukebox or anything that requires use of the soundcard I get an error message telling me that it is already in use my another application, but I'm not using it for anything else that I know of(this started just after trying to install my webcam which I was unable to install and thought I had deleted all the files associated with it, but still get the error message;)
And I have one other BIG problem with something called "mIRC32.exe" that somehow was downloaded to my system although I never downloaded it myself and it launches at start-up ...plus, each time I try to close it, it just automatically opens again.
But the BIGGEST problem is....I thought I would simply get rid of ALL these problems at once by using the windows me 'system restore' option which takes your OS back to a time before all the problems started and re-installs me from that point and even that is not working! Plus my disk defragmenter is not working-when I try it I get to about 1 or 2% complete and it just hangs at that point indefinately. Can anyone help me at least figure out how to get my 'system restore' working again so I can try getting a fresh start rather than trying to tackle all of the other problems one at a time...which doesn't seem to be working for me anyway;)??

Thanks!
hmac13

Hi hmac13, Welcome to CTH!
Doing a system restore is not a good idea, you will also restore the virii.
Let's see what is going on. Go here and download, unzip and run StartupList. It will create a log file, copy the log and paste it in a reply.

http://www.lurkhere.com/~nicefiles/index.html

Also go here and run an online virus scan:

http://www.ravantivirus.com/scan/

Copy the report from the scan and paste it in a reply also.

Yeah good old windows ME. The best thing about it is when it comes a time when ya have a big enough prob to have to try and use sys restore it doesnt work.

#1 issue is the trojan. Do a full system scan with your anti-virus and clean all of that stuff up. Any anti-virus should remove mostly all of the infected files providing you have updated definitions...but im assuming you do because for you to know its in there it would had to have detected it.

As far as the software for starters you could try to uninstall/reinstall them...from what i hear i doubt that would help, i dont think the prob is in the application but its worth a shot. As far as the errors coming up..."Do they specifically name any files?"

For the record mIRC is a chat client... something like aol instant messenger or yahoo just so you know.

But like i said first thing is first....RUN Anti-Virus sortware. A trojan will load itself at startup and it wouldnt suprise me in the least if that was the cause of most if not all of your problems.

what you can try to do is locate a file called "win.ini" without the quotes. go to Start --->Run ------> and type win.ini. This is how a trojan "typically" loads itself. In the second and third line i think it should read:

load=
run=

if anything is after that equal sign u should probably get rid of it because it it most likely your culprit. And out of curiousity...are you the only one who uses your computer?


Also check things like your startup folder..."right clicking the start button and clicking explore brings you right into it" or going to start.....run.....and typing msconfig then going to the startup tab is a good way or getting rid of stuff you dont want loading at startup.

Lemme know how it goes....and for everyone else....if anything ive said seems incorrect dont hesitate to correct : )

ohhh yeah almost forgot...as far as your system restore not working...it could be microsofts fault lol....they offer a patch to fix this problem..its worth a shot heres the link, check it out

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q290700&

Hi shadypac and tb525,
thanks for all your suggestions! I'm so glad I found this forum:)
I'm going to try tb525's suggestions and take it from there...shadypac, your suggestions are things I've done already--for the most part--although I wasn't aware of the patch for the system restore problems;) thanks!
My virus scanner has already found the files and 'healed' them but informed me that it cannot remove them-with no further instruction to remove them myself;)
And I'm already using the 'selective start-up' ...I've been using that for a while just to keep my boot-up time from boring me to death;) tehe...
(i do have quite alot of 'stuff' on my PC, much of it thinks it 'must' be something I'd want to use from the moment I boot-up;)

Would using the selective start-up 'long term' be a cause for any of this? (I doubt it, but you never know;)

And I know what the mIRC is---but I did NOT download it willingly-it had to have come attached to an email I opened or a website I visited...something like that --and now I can't get rid of it-it does NOT show in my windows me start-up listings-that's the first thing I tried-to simply remove it from the start-up like I have with the other stuff I don't want to open at start-up;) There's nothing there to 'un-check'. I can't even CLOSE it...I can close it but it opens right back up itself. That can't be a good thing;)
Anyway-I'm off to download the things tb525 has suggested and will post results asap....and take it from there.
thanks again-I'll be back;)

hmac13

Hi tb525!
I had no problem with the startuplist 'atsk' you gave me, the results are below....but(and remember, I am no 'techie';)) when I went to scan for viruses (virii?) online, using the link you gave me in your reply, it asked me to choose which file(s) I want to scan....just making sure now--Iif I'm doing an online cscan, I wnat to scan my 'temporary internet' files??? Is that correct-or do I need ALOT more education in this area? ;)
Anyway.....
here's the results for Startuplist:(I just copied the whole notepad doc)

StartupList report, 6/1/2003, 10:58:01 AM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SYSMAN32.EXE
C:\WINNT\USER\BY.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\ONLINE SERVICES\MSN50\MSNDC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Profiles\tester\Start Menu\Programs\Startup]
MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
PalNetaware.lnk = C:\Paltalk\pnetaware.exe

User shell folders Startup:
[C:\WINDOWS\Profiles\tester\Start Menu\Programs\Startup]
MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
PalNetaware.lnk = C:\Paltalk\pnetaware.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Microsoft Tray = C:\WIN32SIMS.EXE
sp = regedit -s C:\WINDOWS\sp.reg
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
LoadQM = loadqm.exe
SO5 Integrator Pass Two = C:\WINDOWS\SOINTGR.EXE
Aornum = C:\PROGRAM FILES\ORNUM\AORNUM1\2.BIN\AORNUM.EXE
TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe
SystemManager = C:\WINDOWS\SYSTEM\sysman32.exe
eXe = c:\Winnt\User\By.eXe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
SchedulingAgent = mstask.exe
SO5 Integrator Pass One = C:\WINDOWS\SOINTGR.EXE
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 8/5/2003, 14:38:58)

[rename]
NUL=C:\PROGRA~1\GRISOFT\AVG6\$AVGUPD$.BKP
NUL=C:\PROGRA~1\GRISOFT\AVG6\$AVGUPD$.478
C:\PROGRA~1\GRISOFT\AVG6\version.avg=C:\PROGRA~1\G RISOFT\AVG6\$AVGUPD$.478\version.avg
C:\PROGRA~1\GRISOFT\AVG6\avgcore.vxd=C:\PROGRA~1\G RISOFT\AVG6\$AVGUPD$.478\avgcore.vxd
C:\PROGRA~1\GRISOFT\AVG6\avg.ovl=C:\PROGRA~1\GRISO FT\AVG6\$AVGUPD$.478\avg.ovl
C:\PROGRA~1\GRISOFT\AVG6\avg6.avi=C:\PROGRA~1\GRIS OFT\AVG6\$AVGUPD$.478\avg6.avi

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET DBROOT=C:\Adabas
SET DBWORK=C:\Adabas\sql
SET DBCONFIG=C:\Adabas\sql
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\Adabas\bin;C :\Adabas\pgm

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {9B4C7A1D-80ED-4ED4-AA50-89CAF6EA6803}
iWon BHO - C:\PROGRAM FILES\IWON\IWONBAR\3.BIN\IWONBAR.DLL - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F}
Yahoo! Companion BHO - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL - {13F537F0-AF09-11d6-9029-0002B31F9E59}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Promote-ivator.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://pcpitstop.com/pcpitstop/PCPitStop.CAB

[iWon Progressive Counter]
InProcServer32 = C:\PROGRAM FILES\IWON\IWONSLOT\4.BIN\IWONSLOT.DLL
CODEBASE = http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/04c53fff3f917b155106/netzip/RdxIE.cab

[TegoSoft SmartLoader ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TEGOLOAD.OCX
CODEBASE = http://www.aluriasoftware.com/drspeed/TegoLoad.cab

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = mhtml:file://C:\Windows\Temp\wecerr.txt%20.!file:///D:/wbdl.exe

[DiskHealth Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\DISKHEALTH.DLL
CODEBASE = http://pcpitstop.com/pcpitstop/diskhealth.cab

[OTXMovie Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\OTXMEDIA.DLL
CODEBASE = http://otx.ifilm.com/OTXMedia/OTXMedia.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,086 bytes
Report generated in 0.784 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

And that's it for the startuplist....waiting to hear just how bad it really is;)
thanks!

See ya.......hmac13

Click Start > Run > type regedit and click OK.
Click the + next to the following keys:

HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current Version

Scroll down and click on the Run folder. In the right hand window right click on the following and click delete.

Microsoft Tray = C:\WIN32SIMS.EXE
sp = regedit -s C:\WINDOWS\sp.reg
SystemManager = C:\WINDOWS\SYSTEM\sysman32.exe
eXe = c:\Winnt\User\By.eXe

Collapse the registry tree, close regedit and reboot.
Do a find files for the following and delete them:

WIN32SIMS.EXE
sysman32.exe
By.eXe

Then download and run Spybot-S&D to remove the spyware.

Download Spybot - Search & Destroy from here
http://www.lurkhere.com/~nicefiles/index.html


After installing, launch Spybot from the Desktop Icon (Easy Mode),click on the Search For Updates button, search for and install all updates.

Now click on the Check for Problems button and the scan will start. Any Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed. If, after running the scan, Spybot displays red entries, click on the Fix Selected Problems button.

Now click on the Immunize button to protect your PC from known pests and exit.

If you have chosen to install an icon in your Quick Launch bar, Spybot will launch in Advanced Mode. I do not recommend this option for first time users of Spybot.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot.
SSD will activate before the system puts these components 'in use', and it will then be able to 'fix' the rest.

After spybot, run the online virus scan and post back the results.

All of the following are malware, mainly trojans, but also some spyware:

Microsoft Tray = C:\WIN32SIMS.EXE
sp = regedit -s C:\WINDOWS\sp.reg
Aornum = C:\PROGRAM FILES\ORNUM\AORNUM1\2.BIN\AORNUM.EXE
SystemManager = C:\WINDOWS\SYSTEM\sysman32.exe
eXe = c:\Winnt\User\By.eXe

Hi tb525! :)
As you were here first, I'll get out of the way! ;)

Hey Tony, Feel free to jump in anytime! You won't hurt my feelings!

Have you seen this before?

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = mhtml:file://C:\Windows\Temp\wecerr.txt%20.!file:///D:/wbdl.exe

The Class ID is that belonging to a known dialer, but anyone could copy it, of course... :rolleyes:

Anyway, we need to get rid of that ActiveX Control, empty the entire contents of the Windows\Temp directory, and check for the presence of that D:/wbdl.exe file.

That's why I originally advised to download Hijack This. It will allow us to get rid of the startup entries without manually editing the Registry, unregister and remove the BHO, and remove offending ActiveX objects all in one fell swoop.

Hi again tb525,

Here's the message I got when attempting to use the ravantivrus online scan...
Failed to load ActiveX control! -- You must have administrative rights on this computer;you also must have the Internet Explorer security settings to the Medium level.

I don't know why I would not have administrative rights--it's my pc, I'm the only one using it(from day one) and I never required an outside administrator before...? How do I change that?(if I can without an administrator)

I'm checking my security settings now....I've just changed the java permissions from 'high safety' to 'medium safety'...other than that, there are 2 activex controls that are set to 'disabled'...1) download unsigned activex controls
2) Initialize and script activex controls not marked as safe
those are the only 2 that are 'disabled'--do I need to re-set those to 'enabled' for the ravanitvirus scan? And is it 'safe' to leave them that way-or should I change them back immediately after scanning(if I need to change them in the first place, that is;)

thanks again!!

See ya.............helen

Hi Helen, Your security settings were fine..
Let's start this all over to make it easier for you..
Download 'Hijack This!'. http://www.spywareinfo.com/files/hijackthis.zip
Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.

Hi tb525!
It's WORKING! I can't thank you enough! So far I have just followed your 1st reply's instructions except for downloading and running Spybot-S&D....
btw, when I searched for the files after re-booting I could only find the 1st one: WIN32SIMS.EXE
the other 2: sysman32.exe By.eXe

you said to find and delete did not show up in my searches. I'm assuming that's a good thing;)

I started reading the rest of the posts/replies and I think you want me to forget Spybot-S&D and download 'Hijack This!' instead...correct?
Good, cause that's what I'm doing;)

And here's the log file:

Logfile of HijackThis v1.94.0
Scan saved at 1:12:48 PM, on 6/1/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.allcybersearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://nowyoucan2.buildreferrals.com/homerotator.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=00000005
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/
R3 - URLSearchHook: UrlSearch - {88316521-214B-11D5-9DC3-0050BAB29D49} - C:\PROGRA~1\CASHSU~1\SEARCH~1.DLL
O2 - BHO: (no name) - {9B4C7A1D-80ED-4ED4-AA50-89CAF6EA6803} - (no file)
O2 - BHO: iWon BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\PROGRAM FILES\IWON\IWONBAR\3.BIN\IWONBAR.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\3.BIN\IWONBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [Aornum] C:\PROGRAM FILES\ORNUM\AORNUM1\2.BIN\AORNUM.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - User Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - User Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .web: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPXara C.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/04c53fff3f917b155106/netzip/RdxIE.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.aluriasoftware.com/drspeed/TegoLoad.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:\Windows\Temp\wecerr.txt%20.!file:///D:/wbdl.exe
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

You guys are awesome! ALL the error messages are GONE :-) :thumb: :bouncy:

Sorry if I've gone a little 'crazy'....I'm 'pleased' to say the least;) Thank you for your help!!

See ya.....hmac13

PS. I have a dear friend who is experiencing serious PC/internet connection problems...I will be sure to send him here!!

Wait a mo! We aren;t finished yet! There's lots of bad stuff left.

Please do the following:

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down all browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=00000005
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/

R3 - URLSearchHook: UrlSearch - {88316521-214B-11D5-9DC3-0050BAB29D49} - C:\PROGRA~1\CASHSU~1\SEARCH~1.DLL

O2 - BHO: (no name) - {9B4C7A1D-80ED-4ED4-AA50-89CAF6EA6803} - (no file)
O2 - BHO: iWon BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\PROGRAM FILES\IWON\IWONBAR\3.BIN\IWONBAR.DLL

O3 - Toolbar: i&Won Co-Pilot - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - C:\PROGRAM FILES\IWON\IWONBAR\3.BIN\IWONBAR.DLL

O4 - HKLM\..\Run: [Aornum] C:\PROGRAM FILES\ORNUM\AORNUM1\2.BIN\AORNUM.EXE

O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/04c53fff3f917b...etzip/RdxIE.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file//C:\Windows\Temp\wecerr.txt%20.!file:///D:/wbdl.exe

Close all browser windows, run HijackThis again and have it fix the following.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.allcybersearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://nowyoucan2.buildreferrals.com/homerotator.cgi
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=00000005
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/
R3 - URLSearchHook: UrlSearch - {88316521-214B-11D5-9DC3-0050BAB29D49} - C:\PROGRA~1\CASHSU~1\SEARCH~1.DLL
O2 - BHO: (no name) - {9B4C7A1D-80ED-4ED4-AA50-89CAF6EA6803} - (no file)
O2 - BHO: iWon BHO - {C298FB42-E3E2-11D3-ADCD-0050DAC24E8F} - C:\PROGRAM FILES\IWON\IWONBAR\3.BIN\IWONBAR.DLL
O4 - HKLM\..\Run: [Aornum] C:\PROGRAM FILES\ORNUM\AORNUM1\2.BIN\AORNUM.EXE
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} (iWon Progressive Counter) - http://www.iwon.com/ct/pm2/iwonpm1,0,2,3.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:\Windows\Temp\wecerr.txt%20.!file:///D:/wbdl.exe

Then delete the contents of the C:\Windows\Temp folder and reboot. Do a find files for wbdl.exe and delete it

Edit: Oops..Sorry Tony!

So it is true what they say about great minds.... http://www.spywareinfo.com/forums/html/emoticons/weee.gif

Hi Tony and tb525,

Well, it's taken all day...sorry for the delays getting back here. Sunday afternoons at home mean LOTS of interuptions;)

I've done everything you told me to so far...btw, there were only 3 files of the 2nd batch that matched up in Hijack This to check. These are the 3 it found and fixed:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://nowyoucan2.buildreferrals.com/homerotator.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=

Also, when I searched for "wbdl.exe" after I re-booted this last time, it was not there....that's good??

If there's more to do, I'll have to start again first thing tomorrow(or whenever you guys are around again) And thank you both(all) again for such a great service and for all your help---I WILL be back for more!

I've tried other so-called 'help' sites and tech support but none come close...even one 'pay' service I tried :D

See ya......hmac13

Originally posted by hmac13
I've done everything you told me to so far...btw, there were only 3 files of the 2nd batch that matched up in Hijack This to check. These are the 3 it found and fixed:


Now I'm not certain we made ourselves crystal clear here; what we meant you to do, is not go and find the items in that Hjack This log yourself, but actually put a check mark at the items we pointed out to you, and subsequently, still in Hijack This, press "fix checked".

Hijack This will then correct all those items (which will be there, as it found them on your computer)

Is that what you did??

Hi Tony,
Not to worry(I think),....what I should have said is that of the files listed in your reply the 2nd time, only 3 of them were listed in the Hijack This list of files to 'check'. and by 'check' I mean enter a check mark in the little box next to that file, then hit the 'fix checked' button in Hijack.

Should all of those files have been there when I opened Hijack again? Maybe I did something wrong the 2nd time around?

Not unusual for me;)

See ya......hmac13

No, I think you did great! :)

The log looks clean now, and I think you deserve the right to treat yourself to a glas of wine in order to celebrate! :D

Thanks Tony!

I will...but only if you and tb525 will join me because you guys definately deserve a 'congratulatory swill' having been able to steer me in the right direction to get this stuff cleaned up ....finally! And in terms I can understand, yet without making me feel like an idiot :-S or charging me extra just before giving me the final answer;)

So, maybe tomorrow we can try tackling my sound card 'issue(s)'...??

Thanks again to both of you!

See ya............hmac13

Hello again!

You guys were so helpful yesterday, I thought I'd come back and see if I can't get a few other things 'fixed' ....for example, when I try to open my REAL jukebox or player I get an error telling me my sound card is already in use---but I know it's not;)

But first, I have my AVG set to scan for viruses daily and today's report says it found and 'healed' 5 viruses...these are the ones it listed:

Results of Complete Test, date and time 6/2/2003 6:43:34 :

Testing C:\ volume DRIVE_C serial 3A30-1AF2
C:\WINDOWS\ISNSYS.DLL repaired
C:\WINNT\USER\CL.EXE repaired
C:\WINNT\USER\IB.EXE repaired
C:\WINNT\USER\S2.EXE repaired
C:\WINNT\USER\S3.EXE repaired

Test finished, duration 01:33:10.8 s
25736 objects tested, 5 found infected

I also noticed that there is a file/folder named: winnt
still in 'my documents' and I have no idea what it is-except that I think I remember deleting something similar per your instructions yesterday? Is this file/folder maybe causing the virus findings that AVG has reported?

Now on to the sound card issue.....it started happening just after I tried to install a webcam...the installation was not successful and I just gave up on the webcam-deleting all the files associated with it(I think;) but ever since then I've been getting that stupid error message and have NO sound :(

Got any ideas how I can fix this one?? Am I in the right forum? Maybe I should post this question in the 'hardware' forum?
thanks!

See ya......hmac13

try updating/reinstalling the driver that came with the card. If that doesnt work try reseating the card or reinstalling the card again. I had a sound problem so messed up once and nothing i did fixed it...i tried just about everything. Eventually i just reinstalled ME over top of my current and it fixed it so i assumed it was corruption in the registry or somethin similar.


Check in device manager....right click "my computer", properties, device manager. Thats how ya check if your cam is still there...also check in add remove programs and make sure the software you loaded with it is gone. Doing things from the Add/Remove in control panel usually gets rid of everything completely. Also using the uninstall that came with software works. If you were to delete files randomly that are associated with whatever your getting rid of thats when you get problems because entries are still in the registry.

Hi shadypac!
Thanks for your reply....I think I may have found the reason for my sound card problems..?

I just checked in add/remove programs again(it's been a while since I last checked into this problem--I couldn't figure it out on my own at the time and just moved on to other stuff;)
ANywya, when I checked in add/remove programs for any remianing webcam software, I found something that said IBM PC Camera....so I highlighted it and clicked the remove button but got the following error message:

"Unable to locate un-installation log file and the filename it searched for:
'C:\Program Files\IbmPcCamera\Uninst.isu' Uninstallation will not continue"

So....now what? Got any ideas??

thanks!

See ya.........hmac13

PS. won't be back till tomorrow morning;)

Hi Helen, Delete this C:\WINNT folder... and if there is one in 'My Documents', delete it too.

Ok tb525, I've deleted the winnt file....do think I am FINALLY free of all the bad stuff?

And...can you help with my sound card problem too?

thanks!

See ya........hmac13

Hi Helen, Run HijackThis again and post a fresh log.

ANywya, when I checked in add/remove programs for any remianing webcam software, I found something that said IBM PC Camera....so I highlighted it and clicked the remove button but got the following error message:

"Unable to locate un-installation log file and the filename it searched for:
'C:\Program Files\IbmPcCamera\Uninst.isu' Uninstallation will not continue"

Re-install the IBM PC Camera software and then uninstall via Add/Remove Programs

For the sound, First open Control Panel and double click the icon for Audio. Check that nothing has been muted.
Then look in the Device Manager. Control Panel > System > Device Manager tab. Are there any yellow splats?

Hi tb525!

Here's the latest HijackThis log:

Logfile of HijackThis v1.94.0
Scan saved at 7:56:24 AM, on 6/3/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - User Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - User Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .web: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPXara C.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.aluriasoftware.com/drspeed/TegoLoad.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

I'll get started on the webcam stuff now.

Ok tb525, I have re-installed the webcam. BUT! The reason I was trying to un-install the webcam previously is because I got error messages or something(it was a while ago so my memory is a little foggy on exactly what the problem was at that time--I htink I was trying to install it with the camera plugged in to my PC--I found out this time that I should not have had it plugged in while trying to install it;)
Anyway, I've re-installed the webcam without any trouble this time and I'd really like to keep it if I can get my sound card back and working for both the webcam and my other audio needs.

So.......I'm going to try downloading REAL again and see if it works, now that the webcam is installed properly(I think?-it seems to be working fine:), Windows 'should' take care of making sure the sound card is shared between the 2 devices without any conflicts.....right?
Btw, before re-installing the webcam, I started to follow your instructions:

For the sound, First open Control Panel and double click the icon for Audio. Check that nothing has been muted.

1st...there's no Audio icon in my control panel...the only thing close is the Sounds and Multi-media icon.

Then you said:

Then look in the Device Manager. Control Panel > System > Device Manager tab. Are there any yellow splats?

There are NO yellow splats.....however,
in the 'sounds and multimedia' properties menu, the box named "schemes" was set to 'no sounds' and the volume control is all the way down at zero----and it won't allow me to change that setting.

So...what next tb525?? Are you getting tired of me yet?? I certainly wouldn't blame you :rolleyes:

Ok....waiting to hear from you again tb525...somehow another 'thank you' just doesn't seem to be quite enough;)
But I do appreciate your help enormously!!

See ya...hmac13

Have HT fix this entry:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.allcybersearch.com/ie/

Open the Device Manager again and click the + next to 'Sound, Video and Game Controllers'. what is listed?

Ok, the only thing listed under the + next to 'Sound, Video and Game Controllers'. is:

CrystalSoundFusion(tm) CS4281 WDM Audio

That's it...should there be more?

Thanks!

See ya....hmac13

First, go here and download the driver and unzip it.:
http://www.cirrus.com/en/support/drivers/audio/OS20.html
(CS4281 WDM Audio)

Then boot into safe mode, open the device manager and right click on the CS4281 WDM Audio entry and choose remove.
Reboot to Windows. Windows should detect the card and re-install it, If it doesn't, point the wizard to the cwrwdm.inf inside the unzipped driver folder. (Pw5206) Follow the wizard and reboot after.

Ok tb525,
Here's one of those stupid questions that shows just how little I really know about 'technical' stuff....
I know I've done it at least once before during some tech support help I was getting when I could not connect to the net a while back(it was msn ISP support and they actually helped me...after 5 or 6 calls back and a few hours on hold lol!;)

My questions is...how do I boot into safe mode??


I told you I was no 'geek'......but I;m sure you already guessed that;)
thanks!

See ya.....hmac13

Ok tb525,
Here's one of those stupid questions that shows just how little I really know about 'technical' stuff....
I know I've done it at least once before during some tech support help I was getting when I could not connect to the net a while back(it was msn ISP support and they actually helped me...after 5 or 6 calls back and a few hours on hold lol!;)

My questions is...how do I boot into safe mode??


I told you I was no 'geek'......but I;m sure you already guessed that;)
thanks!

See ya.....hmac13

Restart the machine, As it is booting you will see it detect the drives, at that point start tapping the F8 key. Continue tapping F8 and a boot menu will appear. Choose safe mode and hit enter.

THANK YOU!:D

Ok tb525.,

did what you said-except when I got into the safe mode and found the:

CS4281 WDM Audio(s) there were 6 of them....

now what? delete all 6 of them?

thanks!

hmac13

PS...I'm headed out for dinner--hopefully back later;)

Yep, delete all of them. More than likely, that's the problem.

Hi tb525!
It looks like I might be done!? :D
I deleted/fixed that last line in HT as you told me to and here's the latest log file:

Logfile of HijackThis v1.94.0
Scan saved at 7:52:29 AM, on 6/4/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - User Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - User Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .web: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPXara C.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.aluriasoftware.com/drspeed/TegoLoad.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

I think there may be one more line to 'fix'? Does this one belong?

"R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net"


Also, everything went just the way you said it should for my sound card/driver issue...I got rid of those 6 'CS4281 WDM Audio(s)' and when I re-booted, windows did install the new driver you had me download....all by itself:)

Now I just have to download REAL again and see what happens...I'll be sure to post the results asap.

I don't know how I can ever thank you guys!? This is one great forum...that's for sure:D I'll be sure to send all my friends to cybertechhelp.com!

Many, many thanks to all of you!!

See ya.......hmac13

PS. I do have one or 2 other minor 'bugs' that could use some attention, but they can wait for now....you're probably already sick of me :-S Besides, I could use a break from all this technical stuff myself;)

Have Hijack fix this:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://gobanclick.cjb.net


This also needs to be disabled: C:\WINDOWS\SYSTEM\ssdpsrv.exe

Go here and download and run Steve Gibson's UnPlug n' Pray utility to disable it.

http://grc.com/unpnp/unpnp.htm

Hi tb525!
I'm 'done' again;) (I think...you'll tell me if I'm not...right?)
here's the last HT log(I hope):

Logfile of HijackThis v1.94.0
Scan saved at 7:36:50 AM, on 6/5/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - User Startup: MSN Quick View.lnk = C:\Program Files\Online Services\MSN50\MSNDC.EXE
O4 - User Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .web: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPXara C.dll
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://www.aluriasoftware.com/drspeed/TegoLoad.cab
O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://pcpitstop.com/pcpitstop/diskhealth.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab


Another question for you concerning the UnPlug n' Pray utility...

To disable the file/program you/I want disabled, all I have to do is hit the button on the UnPlug n' Pray utility and when it says:
"UPnP is safely disabled"
I'm done...right? That's all there is to it?

If the answer to that question is 'yes', then I'm done...at least with that particular 'fix':)

Ok then...I had alot of old 'real' files that I deleted and I'll try downloading the latest version(I lost my internet connection when I tried yesterday and never got back to it) and see what happens with the audio....wish me luck...I'll probably need it;)

thanks again for everything!

See ya..hmac13

Your log is fine and Yes, Just push the button on UnPlug n' Pray and your done.

Hi tb525!

Well, I can't believe it! Do you have any idea how many other places I've been on the net to try to get the help you've given me??

Let's just say it was ALOT of different places!

Once again tb525 and everyone else who helped me and all the other cybertechhelp.com members....

THANK YOU! THANK YOU! THANK YOU!

You guys are the BEST!

Btw, I haven't gotten to the REAL download yet...but I will stop back and post results once I've got my music back:-)

see ya........hmac13

Hi tb525!

I bet you thought you'd heard the last of me....sorry;)

I downloaded REAL like I said I would...everything went well with the download and installation.

However, I got the very same message when I tried to listen to a CD via REAL-player...
When I first launched REAL yesterday and tried listening to one of my CD's,
I got a message telling me that REAL cannot play the CD because the sound card(I think that was what it said) was already in use by another application.

But, I just tried launching REAL again so I could give you the exact error message that was displayed yesterday-and this time it did NOT display that message....so I went on and attempted to listen to my CD.
Now there is simply no sound at all...just alot of static noises and I really cannot tell if it's trying to play back the CD(it appears to be playing according to REAL's function display) but I hear nothing but that static--I am using headphones--the same ones I always used and worked fine prior to all the problems;)

I'm at a loss....I will try looking into REAL's help/support options, etc. and see if I can find out what's wrong, but if this all sounds familiar to you and you can help me with a quick fix...that would be lovely:)

Thanks!

See ya......hmac13

mirc came with the trojan
many trojan's use the default irc port to attack your computer remotely
thus needing an irc client of some sort

i would go to the symantec site (norton anti-virus)
& download the virus removal tools
& if you have nav or other virus scanners, then update you protection
then restart in safe mode, do a full system scan
& if no clean possible but a removal tool is capable
use it to clean the infection..

**ps** you need to download the removal tools
to a clean hardrive or they may get infected
i suggest a library, or friends computer
then transfer to floppy disk & write protect the disk

start your computer in safe mode
then run the tools off the floppy

if the infection is too much

then a clean install would be needed

Hi B.S.O.D Hater,

Thanks for your advise, but I have gotten rid of all that stuff thanks to the help of tb525 and Tony(I forget his nickname;) It's all gone adn I have had not trouble since in that respect.

What I am still waiting to find out is how to get my sound card to work again....if it's even possible;) Maybe I just need a new one? I don't know.

But I'd love to have my sound/audio back and that's my main goal right now...can you help me with that, B.S.O.D Hater?? Thanks!

See ya............hmac13

Hi Helen, Open the device manager and click the + next to 'Sound, Video and Game Controllers'. Are there any yellow splats?

Hi tb525!

As a matter of fact...YES! It is a yellow circle with a '!' inside of it. next to
"Crystal Sound Fusion CS4281 WDM Audio"

I have to leave--but I'll definately check back later! Thanks!!

See ya...........hmac13

Open Device Manager and either double-click on "Crystal Sound Fusion CS4281 WDM Audio" or single-click on it to highlight and then click on Properties button. Under the General tab, what does it say in the Device status area (middle of the window)? Also, click on the Resources tab and see if there are any items listed in the Conflicting device list field (at bottom of the window).

Ok, it says:

"The NTKERN.VXD, MMDEVLDR.VXD device poader(s) for this device could not load the device driver. (Code 2)
To fix this click Update Driver to update the device driver."

I take it I should update the driver;)??

thanks....hmac13

Oooops! forgot to check the resources tab---No, there's nothing in the 'conflicting device' box.

I am under the assumption that you d/loaded the zipped driver files for which tb525 posted a link. When you d/loaded this file, did you unzip the contents to a folder?
Just preparing for my instructions to you for updating the driver, and it would be helpful to know the name of the folder to which you unzipped the contents of the d/loaded file. Also, if you could, let me know where the folder is located (for example, did you d/load the file to Desktop and then unzip the contents to a folder that you created on the Desktop?).

Hi GretaP,

Yes, you are correct...I d/loaded and unzipped the new driver and I think I used the 'wizard' when I unzipped it. I did a search and found it here:

C:\new drivers

That's what is in my address bar when I open the 'new driver' folder.

Is that hwat you need to know?

thanks...hmac13

I think it is, thank you.

In order to check for certain, open the new drivers folder and check that these files are within it:
cwrwdm.inf
cwrwdm.sys
Pw5026.cat
readme.txt

If you don't see those files within this folder, do a Search for Files or Folders for Pw5026.cat and see what folder it is in.........then do a search for cwrwdm.inf and ensure that it is in the same folder as Pw5026.cat

Now, to install these drivers, open Device Manager and then open the Properties window for the sound card, like I described for you earlier. If there is a Reinstall Driver button under the General tab, click on it. If not, then click on the Driver tab and click on the Update driver button. Either method will bring up the "Update Device Driver Wizard". Click on Next button in the first window, then click in the radio button beside "Display a list of all the drivers in a specific location, so you can select the driver you want" and then click on Next. In the next window, depending on which button was available at the start (either the Reinstall Driver button or the Update Driver button):

Reinstall Driver button used.....use the scrollbar to scroll and locate Sound, video and game controllers, if it's not already highlighted, then click on Next. In the next window, click on the "Have Disk" button.

Update Driver button used......click on the "Have Disk" button.

In the "Install from Disk window", click on the Browse button, then, in the "Open" window, at the bottom, see if drive C: is showing in the "Drives" field. If not, then click on the drop-down arrow in the "Drives" field and click on C: to select it. Then, in the "Folders" field (above the "Drives" field), use the scrollbar if necessary to locate and then double-click on "new drivers" folder (or whichever folder contained the cwrwdm.inf and Pw5026.cat files) .....look to the left in the "File name" field, and you should see a file ending in .inf (probably is cwrwdm.inf). Click on the "OK" button, then again on the "OK" button in the "Install from Disk" window.

If you used the Reinstall Drivers button at the start, then click on "Next" button in the "Update Device Driver Wizard" window. In the next window, you should see a reference to CS4281 WDM Audio and a message that "Windows is now ready to install the selected driver, etc., etc.". Click on the "Next" button, and in the next window, click on the "Finish" button. Close Device Manager and then restart your computer.

If you used the Update Drivers button at the start, you would probably be back at the "Select Device" window. Click on OK. You may get an "Update Driver Warning" window....click on "Yes" button. Click on the "Next" button, then click on the "Finish" button.

Click on Close and the Close again to close Device Manager.

Restart your computer.

Here's what's in the 'new drivers' folder:

cwrwdm, cwrwdm.sys, PW5026 and readme

I did a search for PW5026.cat and the first time it found 2 files that were both labled PW5026 (still no file extensions shown)
The 2nd time I searched for PW5026.cat it found no results.

I also searched for cwrwdm.inf and it found:

Crystal Semiconductor Corporationcwrwdm, cwrwdm and another cwrwdm (again no file extensions)

Should I go ahead with the updating or reinstalling driver??

thanks......hmac13

Yes, go ahead with the reinstall, as it looks to me like the needed files are there.

It looks like you have the option to "Hide file extensions for known file types" enabled in your folder options, and that is why the file with the .inf and .cat extension aren't showing their extensions. I prefer to have this option disabled, as I like to be able to view the file extensions. To do so, open any folder or My Computer or Windows Explorer, and in the upper menu, go to Tools>Folder Options and then click on the View tab. Scroll down, if necessary, until you locate the line "Hide file extensions for known file types", and click in the checkbox beside it in order to clear the checkmark. Click on Apply then OK.

If updating/reinstalling the drivers doesn't solve the problem, I'd like you to do this:

1) Search for Files or Folders named WIN.COM
For the files named WIN.COM that are then displayed in the right pane, right-click on each and then select Properties. Under the General tab, in the "Location" field, it should say C:\WINDOWS
If there is more than one entry for WIN.COM, keep only the one that is in the C:\WINDOWS folder......delete any other entries.

2) Search for Files or Folders named KS.SYS
For the files named KS.SYS that are then displayed in the right pane, right-click on each and then select Properties. Under the General tab, in the "Location" field, it should say
C:\WINDOWS\SYSTEM32\DRIVERS
If there is more than one entry for KS.SYS, keep only the one that is in the C:\WINDOWS\SYSTEM32\DRIVERS folder....delete any other entries.

Don't empty the Recycle Bin right away....hold off until you've done a few restarts to ensure that the deletion of the files doesn't cause other problems (it shouldn't, but this is just a precaution).