pop up problems

do a virus scan using trendmicros house call, and clear the starup folder in ur start menu.

go into your internet option and disable all java script, and check ur tasks list to see if any process are spawning the windows

sorry if there has alreadu been a thread on this
I am operating Windows 98SE
I am having trouble w/ popups and embeded exe files in my startup.
Each time I open my browser, i get pop ups.
I run search and destroy, but they all seem to come back, even after I immunize.
As my PC boots, I go through about 20 rouge .exe files as my ssytems "searches for them. I cancel the search and the PC boots up.
I realize I have a few problems going one and I am wondering if there is an easy fix.
Any help will be apprieciated.
Thanks in advance.

No guarentees, as it could be a couple things, but please do these:

Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
http://www.lavahelp.com/howto/updref/index.html
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Then:
Download 'Hijack This!'. http://www.computercops.biz/downloads-file-328.html
Unzip (extract) it to a folder of its own. Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.
ans also run spybot again and then post the hijackthis kog .

Caperjack,

I have followed your instructions.
Here is the log from highjack this.
I have not fixed anything yet.

Logfile of HijackThis v1.97.7
Scan saved at 10:58:01 PM, on 4/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB08.EXE
C:\WINDOWS\TEMP\UHQY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QEP78K.EXE
C:\WINDOWS\SYSTEM\KVW1.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [BtStart] C:\Program Files\WIDCOMM\Bluetooth Software\bin\btstart.exe
O4 - HKLM\..\Run: [RUXBE] C:\WINDOWS\RUXBE.exe
O4 - HKLM\..\Run: [bwhhkxoj] C:\WINDOWS\qvlkltnp.exe
O4 - HKLM\..\Run: [BFILOSV] C:\WINDOWS\BFILOSV.exe
O4 - HKLM\..\Run: [FILI] C:\WINDOWS\FILI.exe
O4 - HKLM\..\Run: [OSVY] C:\WINDOWS\OSVY.exe
O4 - HKLM\..\Run: [CGJMPTW] C:\WINDOWS\CGJMPTW.exe
O4 - HKLM\..\Run: [ADHKNQUX] C:\WINDOWS\ADHKNQUX.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System\zzb.exe
O4 - HKLM\..\Run: [xwd] C:\WINDOWS\xwd.exe
O4 - HKLM\..\Run: [IMONW32S] C:\WINDOWS\SYSTEM\IMONW32S.exe
O4 - HKLM\..\Run: [Uhqy] C:\WINDOWS\TEMP\UHQY.EXE
O4 - HKLM\..\Run: [2TA28823BNNEPK] C:\WINDOWS\SYSTEM\PCWBKIJQ.exe
O4 - HKLM\..\Run: [H1W6I3WX.EXE] C:\WINDOWS\H1W6I3WX.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System\zzb.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: I71L86J5.lnk = C:\WINDOWS\i71l86j5.exe
O4 - Startup: H1W6I3WX.lnk = C:\WINDOWS\h1w6i3wx.exe
O4 - Global Startup: H1W6I3WX.lnk = C:\WINDOWS\h1w6i3wx.exe
O4 - Global Startup: LA00QOZD.lnk = C:\WINDOWS\la00qozd.exe
O4 - Global Startup: 3URWX6PM.lnk = C:\WINDOWS\3urwx6pm.exe
O4 - Global Startup: NEQHTCJA.lnk = C:\WINDOWS\neqhtcja.exe
O4 - Global Startup: GOCB52O4.lnk = C:\WINDOWS\gocb52o4.exe
O4 - Global Startup: ZA05KF9L.lnk = C:\WINDOWS\za05kf9l.exe
O4 - Global Startup: 0FI8G1NE.lnk = C:\WINDOWS\0fi8g1ne.exe
O4 - Global Startup: NVGJEXJ2.lnk = C:\WINDOWS\nvgjexj2.exe
O4 - Global Startup: TRKJOWGU.lnk = C:\WINDOWS\trkjowgu.exe
O4 - Global Startup: PNRUA38N.lnk = C:\WINDOWS\pnrua38n.exe
O4 - Global Startup: XXNNIF18.lnk = C:\WINDOWS\xxnnif18.exe
O4 - Global Startup: P57E0M01.lnk = C:\WINDOWS\p57e0m01.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: QIEQ8NZ2.lnk = C:\WINDOWS\qieq8nz2.exe
O4 - Global Startup: Z8OIB0ZA.lnk = C:\WINDOWS\z8oib0za.exe
O4 - Global Startup: C38YN80Y.lnk = C:\WINDOWS\c38yn80y.exe
O4 - Global Startup: VUUA25NZ.lnk = C:\WINDOWS\vuua25nz.exe
O4 - Global Startup: YCBC7I53.lnk = C:\WINDOWS\ycbc7i53.exe
O4 - Global Startup: EHDB0QNO.lnk = C:\WINDOWS\ehdb0qno.exe
O4 - Global Startup: 7V0LTQHT.lnk = C:\WINDOWS\7v0ltqht.exe
O4 - Global Startup: LW0V3Y0P.lnk = C:\WINDOWS\lw0v3y0p.exe
O4 - Global Startup: WJKYMMB0.lnk = C:\WINDOWS\wjkymmb0.exe
O4 - Global Startup: FY548ZE9.lnk = C:\WINDOWS\fy548ze9.exe
O4 - Global Startup: AQ5RLDU3.lnk = C:\WINDOWS\aq5rldu3.exe
O4 - Global Startup: E5VX9LJG.lnk = C:\WINDOWS\e5vx9ljg.exe
O4 - Global Startup: TURZPEV2.lnk = C:\WINDOWS\turzpev2.exe
O4 - Global Startup: APRRECKO.lnk = C:\WINDOWS\aprrecko.exe
O4 - Global Startup: 0II87BLZ.lnk = C:\WINDOWS\0ii87blz.exe
O4 - Global Startup: H5ZW7OEI.lnk = C:\WINDOWS\h5zw7oei.exe
O4 - Global Startup: MB08L9C2.lnk = C:\WINDOWS\mb08l9c2.exe
O4 - Global Startup: DVVOX6Y8.lnk = C:\WINDOWS\dvvox6y8.exe
O4 - Global Startup: 6TY73T1H.lnk = C:\WINDOWS\6ty73t1h.exe
O4 - Global Startup: J2O0EIWD.lnk = C:\WINDOWS\j2o0eiwd.exe
O4 - Global Startup: 7UWXDNCC.lnk = C:\WINDOWS\7uwxdncc.exe
O4 - Global Startup: LT9XHR26.lnk = C:\WINDOWS\lt9xhr26.exe
O4 - Global Startup: G4FLNBXA.lnk = C:\WINDOWS\g4flnbxa.exe
O4 - Global Startup: E7AV6AY7.lnk = C:\WINDOWS\e7av6ay7.exe
O4 - Global Startup: PQTCC3GO.lnk = C:\WINDOWS\pqtcc3go.exe
O4 - Global Startup: 6JL7UWO0.lnk = C:\WINDOWS\6jl7uwo0.exe
O4 - Global Startup: UPTATCHT.lnk = C:\WINDOWS\uptatcht.exe
O4 - Global Startup: WQW7UZLB.lnk = C:\WINDOWS\wqw7uzlb.exe
O4 - Global Startup: E4QJGWF4.lnk = C:\WINDOWS\e4qjgwf4.exe
O4 - Global Startup: C0AB3MNO.lnk = C:\WINDOWS\c0ab3mno.exe
O4 - Global Startup: R5VK50EN.lnk = C:\WINDOWS\r5vk50en.exe
O4 - Global Startup: QHD2W016.lnk = C:\WINDOWS\qhd2w016.exe
O4 - Global Startup: U2XAGYUQ.lnk = C:\WINDOWS\u2xagyuq.exe
O4 - Global Startup: QDVUQHCU.lnk = C:\WINDOWS\qdvuqhcu.exe
O4 - Global Startup: 5WTIPWBX.lnk = C:\WINDOWS\5wtipwbx.exe
O4 - Global Startup: 5TY9MTJH.lnk = C:\WINDOWS\5ty9mtjh.exe
O4 - Global Startup: VH4ALRQ8.lnk = C:\WINDOWS\vh4alrq8.exe
O4 - Global Startup: TZFHGBE7.lnk = C:\WINDOWS\tzfhgbe7.exe
O4 - Global Startup: H2IN3TBU.lnk = C:\WINDOWS\h2in3tbu.exe
O4 - Global Startup: 8GHXTVCB.lnk = C:\WINDOWS\8ghxtvcb.exe
O4 - Global Startup: QVP49MHG.lnk = C:\WINDOWS\qvp49mhg.exe
O4 - Global Startup: CTM38X1X.lnk = C:\WINDOWS\ctm38x1x.exe
O4 - Global Startup: G5ZUN5NB.lnk = C:\WINDOWS\g5zun5nb.exe
O4 - Global Startup: 81YN8NWC.lnk = C:\WINDOWS\81yn8nwc.exe
O4 - Global Startup: 8DC31ABI.lnk = C:\WINDOWS\8dc31abi.exe
O4 - Global Startup: 0R7C32G3.lnk = C:\WINDOWS\0r7c32g3.exe
O4 - Global Startup: HAJ93E4E.lnk = C:\WINDOWS\haj93e4e.exe
O4 - Global Startup: N2F0N1V0.lnk = C:\WINDOWS\n2f0n1v0.exe
O4 - Global Startup: 1CTOYN97.lnk = C:\WINDOWS\1ctoyn97.exe
O4 - Global Startup: I71L86J5.lnk = C:\WINDOWS\i71l86j5.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @btrez.dll,-4015@1033,Send To Bluetooth (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017@1033,Send To &Bluetooth (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38031.883275463

You have the peper trojan. Download the removal tool from http://www.memorywatcher.com/uninst.exe & let it do it's thing. There will be no dialogue. Note that you must be online when you run the tool for it to be effective.

You also have the adtomi parasite. These are the full instructions for removal.

First If you have a Script Blocking Program enabled, disable it so the scripts will run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

In your case the file/ process to stop is : C:\WINDOWS\H1W6I3WX.EXE
then press end task or end process and make sure that entry has disapeared from the list.
if you can't stop it running, then DO NOT CONTINUE, please ask for more help first and there might also be morze1 running, if so end that process as well.

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

Thanks,

I will not be able to check on this until Tuesday.
Thanks for hanging on until then.

No guarentees, as it could be a couple things, but please do these:

Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
http://www.lavahelp.com/howto/updref/index.html
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Then:
Download 'Hijack This!'. http://www.computercops.biz/downloads-file-328.html
Unzip (extract) it to a folder of its own. Then Doubleclick HijackThis.exe (in the new folder), and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. for hijackthis,most of what it lists will be harmless or even essential, don't fix anything yet.
ans also run spybot again and then post the hijackthis kog .

Have done all of this
Not so many problems
Crunchie suggested some other programs to download, "memory watcher". I downloaded this and it seems to stop at 50% complete or finishes very quickly.
I use norton Anit-Virus and it has script blocking. Is this a safe thing to do? I am not sure.
The rest of the instructions are not clear.
Crunchie - I am supposed to download the attached files and run them?

Have done all of this
Not so many problems
Crunchie suggested some other programs to download, "memory watcher". I downloaded this and it seems to stop at 50% complete or finishes very quickly.
I use norton Anit-Virus and it has script blocking. Is this a safe thing to do? I am not sure.
The rest of the instructions are not clear.
Crunchie - I am supposed to download the attached files and run them?

Firedad. The program is from the memorywatcher site. It will download the peper trojan removal tool which will remove the peper trojan from your computer, but you must be on-line.
If you want to get rid of the adtomi parasite, I believe that at the moment the tool I provided is the only thing that can do it.

If you wish I can provide links on other forums where both of these have been used with success. :)

If you look through the 04 entries in your log you will see a lot of entries with gobbledeegook in them. That is the adtome parasite. Check other logs here & you will see they are not meant to be there.

Crunchie,

I have gone through yor instructions and here is the new log. One problem is my start tray is now empty even after rebooting. How can I get these items back?

current log;\
Logfile of HijackThis v1.97.7
Scan saved at 9:36:05 PM, on 4/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CYF0O.EXE
C:\WINDOWS\SYSTEM\OUWP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [2TA28823BNNEPK] C:\WINDOWS\SYSTEM\Uah05H5X.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @btrez.dll,-4015@1033,Send To Bluetooth (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017@1033,Send To &Bluetooth (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38031.883275463

Crunchie,

I have gone through yor instructions and here is the new log. One problem is my start tray is now empty even after rebooting. How can I get these items back?

That Peper trojan is still there so you will have to run the uninstaller again, making sure you are online. This is the peper entry here=
O4 - HKLM\..\Run: [2TA28823BNNEPK] C:\WINDOWS\SYSTEM\Uah05H5X.exe

Once done Close all (browser) windows & have HJT fix these entries=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

After you ran the adtomi remover it would have created 'Adtomi.txt'
you need to copy that & paste it back here so we can be sure no genuine files were removed.
Adtomi is now gone from your machine.

Crunchie,
Thanks for all the help. I hope I am doing this right.
Here is where I am;

Logfile of HijackThis v1.97.7
Scan saved at 11:00:24 PM, on 4/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @btrez.dll,-4015@1033,Send To Bluetooth (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017@1033,Send To &Bluetooth (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38031.883275463

Is there some way to get my Start tray back?
It also knocked my Norton out of wack.
Firedad

Did you manage to get the Adtomi.txt file that I mentioned in my last post? I need to see that to be sure only the baddies were fixed.
That log looks clean now.

Crunchie,

I downloaded the aditome(sp) files and attempted to run those. Are they designed to run individually or are they ran from the .exe files. The black screen comes up and a few clean up messages appear, but there is no indication of any back up files (.TXT) mentioned.

Crunchie,

I downloaded the aditome(sp) files and attempted to run those. Are they designed to run individually or are they ran from the .exe files. The black screen comes up and a few clean up messages appear, but there is no indication of any back up files (.TXT) mentioned.

Hi Firedad. Just a quote from one of my previous posts;

"Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you."

Did you unzip the Adtomi.zip into a folder? If so, that is where all the info will be stored. If you are having trouble finding it, run a search for 'Adtomi.txt.'
Did you follow the instructions correctly & only double click on the 'cleanup.bat' file?

Crunchie,
I will try this Thursday and get back.
Thanks for being patient. First time doing this online.

Hi Firedad. Just a quote from one of my previous posts;

"Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you."

Did you unzip the Adtomi.zip into a folder? If so, that is where all the info will be stored. If you are having trouble finding it, run a search for 'Adtomi.txt.'
Did you follow the instructions correctly & only double click on the 'cleanup.bat' file?

Crunchie,
Here we go with the latest log

Logfile of HijackThis v1.97.7
Scan saved at 5:46:16 PM, on 4/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.we1.attbb.net
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: @btrez.dll,-4015@1033,Send To Bluetooth (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017@1033,Send To &Bluetooth (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38031.883275463

There are 2 (04) files still here. Are they to be deleted as well?

There is nothing in that log now that I can see. The Myway bar is optional to remove.
Did you manage to track down the Adtomi.txt file yet??

No, I did not find it. I deleted and re-downloaded the adtime.zip files you supplied earlier. This program worked better after the second download. No files w/ the adtomi.txt

Crunchie,
Is there something in this procedure that would cause my Norton Anit-virus program to stop working? After disabling the program and then reabling it, an error occured and the symantec program thred led to the solution for this proplem was to reinstall. Any ideas?

That norton problem I believe to be totally unrelated as nothing was deleted relating to norton. I use norton myself & this has happened to me twice. The first time I fixed it by placing the ccApp.exe into the startup folder. The second time & reinstalled norton.

To answer your question earlier, I did find the Adtomi.txt file. It was not in the downloaded files. Any ideas?

Can you copy the contents of the Adtomi.txt file & paste them here. That way I can make sure that only unwanted files were fixed. The program should also have made backups in the folder you unzipped it to.

Crunchie,

This is what i have found in the Adtomi.txt file;

4/15/04 5:44:20 PM
No Smaller Files Found
4/15/04 5:44:29 PM
No Larger Files Found
4/15/04 5:45:15 PM
No Smaller Files Found
4/15/04 5:45:23 PM
No Larger Files Found
4/15/04 6:54:24 PM
No Smaller Files Found
4/15/04 6:54:33 PM
No Larger Files Found

Firedad

In the same txt file there should have been entries of what it deleted above those that you posted. What is there now is good.
How is your Norton problem & the other problems you were having?

I think what has happened (& correct me if I am wrong), is that you ran the Adtomi removal program after you first downloaded it, something apparently went amiss, so you then deleted the program & re-downloaded it. Sound right?
If this is what you did, then you have also deleted all the backups it made along with the original txt file that showed what it had removed. That is why the txt file that you posted only has those entries.
When you ran the Adtomi did you remember to stop the scriptblocking in Norton as I instructed?? If not, that could be the reason for Norton's problems.
If all the original backups have been deleted, there is not much to do with Norton but uninstall/reinstall.
Let me know if what I have written is right can you plz.

I think what has happened (& correct me if I am wrong), is that you ran the Adtomi removal program after you first downloaded it, something apparently went amiss, so you then deleted the program & re-downloaded it. Sound right?
If this is what you did, then you have also deleted all the backups it made along with the original txt file that showed what it had removed. That is why the txt file that you posted only has those entries.
When you ran the Adtomi did you remember to stop the scriptblocking in Norton as I instructed?? If not, that could be the reason for Norton's problems.
If all the original backups have been deleted, there is not much to do with Norton but uninstall/reinstall.
Let me know if what I have written is right can you plz.

You are correct sir! Carnac?? That's sound about right! I may not have stopped the script blocking, to be honest.
I will get the updated Norton and reinstall it. My subsription is up in May and they are going to give me a break in the upgrade.
Next step, is to prevent this from happening again. I need to look at my Lyncsys router and see if the firewall is setup.
CRUNCHI - Thanks so much for all your help. As I said before, this is the first time I used any forum for help and was a bit afraid of "online" help. All of you who helped were great!
Firedad

No problems at all, glad to help.

Crunchie ( or anyone else)

It is I, firedad again...
my daughter's machine may have the same problem as the previous posts. Can you look at the log and see if I have the same problem as before and suggestion(s) for repair.
I have downloaded adware and Hijack this, but I would rather get additional advice( hand holding) before I continue.
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 9:59:39 PM, on 5/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\STENTEST\POSTAPP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LJPBMZEJ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: load=C:\STENTEST\POSTAPP.EXE
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\SYSTEM\IEENHA~1.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [afwyoxj] C:\WINDOWS\SYSTEM\ljpbmzej.exe
O4 - HKLM\..\Run: [L8] C:\WINDOWS\TEMP\L8.EXE
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\Adstartup.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.6577430556
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/190ce9257c91b5a75f05/netzip/RdxIE601.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.exe