Startup Problem

dalejrfan · #1 January 11th, 2004, 05:10 PM

When I startup my computer, the Windows/System folder pops up. I went to msconfig/startup and unchecked the box, but when I start internet explorer, it comes back again! What do I do?

**GretaP** · #2 January 11th, 2004, 05:27 PM

Hi dalejrfan,
What box did you uncheck in msconfig/startup that comes back again when you start Internet Explorer?

You might also navigate to C:\Windows\Start Menu\Programs\Startup and see if there is a shortcut to C:\Windows\System in the Startup folder. If so, delete the shortcut.

dalejrfan · #3 January 11th, 2004, 05:42 PM

There is nothing under "name", its says registery (per user-run) under "loaded from" and c:\windows\system under "command". I also checked and have nothing in the startup folder.

**GretaP** · #4 January 11th, 2004, 06:09 PM

When you unchecked the item in msconfig/startup, did you restart your computer before opening IE?

Also, would you d/load and run HiJackThis, close all browsers, run a scan with HiJackThis, don't fix anything just yet, but Save to log file. Copy/paste the contents of the log file here.

dalejrfan · #5 January 11th, 2004, 06:17 PM

Yes, I restarted before I opened IE. Here is a copy of the logfile. Thanks Greta for your help.

Logfile of HijackThis v1.97.7
Scan saved at 1:19:51 PM, on 1/11/04
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\GMZKCYXI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cust...//my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.D LL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CC8874B3-12BA-EB3A-BD35-F7B036E0F1F3} - C:\windows\system\txcfagvk.dll
O2 - BHO: (no name) - {400D2A87-E9DA-D9D5-0B6E-9682DD1ACB88} - C:\windows\system\qtlhkdmp.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\SYSTEM\gmzkcyxi.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [] c:\Windows\System\
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [] c:\Windows\System\
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Dell Home (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...swdir8d204.cab
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...567.2958449074
O16 - DPF: {01112303-3E00-11D2-8470-0060089874ED} - http://www.comcastsupport.com/sdccom...ad/tgctlch.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0684dbde0d68ef1...p/RdxIE601.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.5.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...oft/wtinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

**GretaP** · #6 January 11th, 2004, 06:27 PM

It will take me a little while to check out the log file, so please be patient with me

**GretaP** · #7 January 11th, 2004, 07:08 PM

Okay........there are a few items that have me completely stumped, and I can't find out anything about them...namely these:

under Running processes:
C:\WINDOWS\SYSTEM\GMZKCYXI.EXE

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: (no name) - {CC8874B3-12BA-EB3A-BD35-F7B036E0F1F3} - C:\windows\system\txcfagvk.dll
O2 - BHO: (no name) - {400D2A87-E9DA-D9D5-0B6E-9682DD1ACB88} - C:\windows\system\qtlhkdmp.dll
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\SYSTEM\gmzkcyxi.exe

I'm going to ask someone for assistance with this, as they are more familiar with these logs than I am, and may have come across these entries in their travels.

In the meantime, did you previously have @Home software installed? This entry seems to indicate that:
O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)

Run HiJackThis again, and have it fix:

O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing)

O4 - HKLM\..\Run: [] c:\Windows\System\

O4 - HKCU\..\Run: [] c:\Windows\System\

After fixing, restart your computer.

Let me know whether the C;\Windows\system folder reappears at startup.

**GretaP** · #8 January 11th, 2004, 08:29 PM

Just received a response for my request for help

Have it fix these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL

O2 - BHO: (no name) - {FFCBEECE-FB0C-11D2-AB16-00104B9BBBD2} - C:\WINDOWS\SYSTEM\AHIEHELP.DLL (file missing) (this one is legitimate but it's been corrupted, will need to reinstall if it's required - Excite/@Home ISP Proxy Software)

O2 - BHO: (no name) - {CC8874B3-12BA-EB3A-BD35-F7B036E0F1F3} - C:\windows\system\txcfagvk.dll

O2 - BHO: (no name) - {400D2A87-E9DA-D9D5-0B6E-9682DD1ACB88} - C:\windows\system\qtlhkdmp.dll

O4 - HKLM\..\Run: [nvid] C:\WINDOWS\SYSTEM\gmzkcyxi.exe

O4 - HKLM\..\Run: [] c:\Windows\System\

O4 - HKCU\..\Run: [] c:\Windows\System\

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0684dbde0d68ef...ip/RdxIE601.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab

Reboot and delete gmzkcyxi.exe

dalejrfan · #9 January 11th, 2004, 08:52 PM

I did all that you asked and it worked! Yes, I did have @home software, and thought I uninstalled it.

Thanks so much Greta!

Can you explain what caused this to happen?

I am so glad that I found this site. I will recommend it to my friends!

Kathy

**GretaP** · #10 January 12th, 2004, 12:19 AM

You're very welcome, Kathy.........and a big thanks to AnnMarie, too, who was the "unknown helper" with this

Apparently, even when @Home software is uninstalled, a couple of files are left behind, AHIEHELP.DLL being one of them.

As for the rest, they may have been items that were unwittingly installed when you installed some applications.