Hello

My w98 machine has progressively slowed down untill lately it barely works. I cannot now access the internet with any reliability posting via a laptop. Spybot reports Virtumonde and although temporarily removing the registry entry it comes back on the next bootup. Have tried VunoFix.exe (nothing found) but suspect it has been worse since then. I also suspect other problems and have had a history of Oprsrv which I've learned to deal with but it comes back after a month or so?

Have updated spybot to 1.6 per you "Before you post" page.

Any help would be much appreciated.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:58 AM, on 26-07-08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\TINYSPELL\TINYSPELL.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\TMPSTART MENU\PROGRAMS\STARTUP\ISPTIMER.EXE
C:\PROGRAM FILES\ROBOMAGIC\SOCKETWATCH\SWATCH.EXE
C:\PROGRAM FILES\DESKPINS\DESKPINS.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/myhome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [O'Reilly Utilities] "C:\Program Files\Annoyances\oraboot.exe" /init
O4 - HKLM\..\Run: [WINDVW32] rundll32 WINDVW32.DLL,irCRun
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [tinySpell] C:\PROGRAM FILES\TINYSPELL\TINYSPELL.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [tinySpell] C:\PROGRAM FILES\TINYSPELL\TINYSPELL.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [EasyDVDMon] (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
O4 - .DEFAULT Startup: isptimer.exe (User 'Default user')
O4 - .DEFAULT Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe (User 'Default user')
O4 - .DEFAULT Startup: opera.exe.lnk = C:\Program Files\Opera8\Opera.exe (User 'Default user')
O4 - .DEFAULT Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe (User 'Default user')
O4 - .DEFAULT User Startup: isptimer.exe (User 'Default user')
O4 - .DEFAULT User Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe (User 'Default user')
O4 - .DEFAULT User Startup: opera.exe.lnk = C:\Program Files\Opera8\Opera.exe (User 'Default user')
O4 - .DEFAULT User Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe (User 'Default user')
O4 - Startup: isptimer.exe
O4 - Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O4 - Startup: opera.exe.lnk = C:\Program Files\Opera8\Opera.exe
O4 - Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O4 - User Startup: isptimer.exe
O4 - User Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O4 - User Startup: opera.exe.lnk = C:\Program Files\Opera8\Opera.exe
O4 - User Startup: DeskPins.lnk = C:\Program Files\DeskPins\DeskPins.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Download Express: download this file - E:\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O12 - Plugin for .dwg: c:\program files\opera8\PLUGINS\npdwg32.dll
O12 - Plugin for .dxf: c:\program files\opera8\PLUGINS\npdwg32.dll
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file://H:\controls\sdkinst.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab

--
End of file - 5322 bytes

hi oldie98,

if you still need help. i have good and bad news. the bad news is that the optimal tools for removing vundo do not work with w98. there are some commercial ones that do but i cant say if they can remove vundo. both have free versions and are worth a try:

superantispyware:
http://www.superantispyware.com/superantispyware.html

a-squared free:
http://www.emsisoft.com/en/software/

Many thanks for the suggestions.

Good/bad is better than no news. So will give them a try. As the forum heading suggests I have done nothing in the interim but will now try other options.

I guess w98 is too old for most but, although I recently purchased a Vista laptop, to me, many functions seem a backward step, and am more familiar with w98.

Thank again.

hi,

ok good luck-- if you try superantispyware you can post the log it generates like this:

After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:
* After reboot, double-click the SUPERAntispyware icon on your desktop.
* Click Preferences . Click the Statistics/Logs tab .
* Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
* It will open in your default text editor (Notepad).
* Please highlight everything , then right-click and choose copy.
* Click close and close again to exit the program.

paste the log in your reply. if its really long you can edit out any cookies.

going from 98 to vista will be huge!

some (maybe useful) info for you:

http://windowshelp.microsoft.com/Windows/en-US/default.mspx
http://www.vista4beginners.com/tips-and-tricks
http://itsvista.com/topic/tips/
http://www.pcstats.com/articleview.cfm?articleID=2238

Hello again

Thank you for the Vista links they may relieve some of my current computer frustrations. With W98 I thought I was more or less in control, untill this problem, but Vista seems to control me. Not nice!

Due to my machine slow response I ran SUPERAntispyware in safe mode first, log below, and later in normal operation when it appeared to have got rid of the files and only showed the registry entries. I can add this log if helpful? It appears to me to do the same as Spybot, ie remove the registry entries which are somehow added again after reboot?

I also noted Spybot on one occasion blocked a number of attempted entries leaving the last attempt flashing and stopping anything else from running. I had to use Ctl+Alt+Del to close Spybot and I assume that's when the rogue did its dirty deed.

Below are two lines from the Spybot Resident.log, these entries are repeated many times 1 second apart. My web browser was not loaded at this time.

05-08-08 6:11:34 PM Denied (based on user blacklist) value "" (new data: "") added in Browser page!
05-08-08 6:11:35 PM Denied (based on user blacklist) value "" (new data: "") added in Browser page!


*******************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/04/2008 at 09:46 PM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 01:49:03

Memory items scanned : 67
Memory threats detected : 0
Registry items scanned : 3503
Registry threats detected : 10
File items scanned : 24036
File threats detected : 7

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST

Trojan.Unclassified-Packed/Suspicious
C:\WINDOWS\SYSTEM\B4FM.DLL
C:\WINDOWS\SYSTEM\T5RDV.DLL
C:\WINDOWS\SYSTEM\CPWIUY.DLL
C:\WINDOWS\SYSTEM\ECESQ.DLL
C:\WINDOWS\SYSTEM\TOOLBARSCH.DLL
C:\WINDOWS\SYSTEM\TBSRCH.DLL
C:\WINDOWS\SYSTEM\TBSCH.DLL

hi,

thanks for the info. have you ever reformatted your w98 machine? a reformat can only improve it. you can try this based on the log:
first to show all files in w98:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the View menu and then click Folder Options.
4. After the new window appears select the View tab.
5. Scroll down until you see the Show all files radio button and select it.
6. Press the Apply button and then the OK button and close the My Computer window.
7. Now your computer is configured to show all hidden files.

copy/paste the list into notepad and save it, boot into safe mode and see if you can find and delete the following form the SAS scan:

C:\WINDOWS\SYSTEM\B4FM.DLL
C:\WINDOWS\SYSTEM\T5RDV.DLL
C:\WINDOWS\SYSTEM\CPWIUY.DLL
C:\WINDOWS\SYSTEM\ECESQ.DLL
C:\WINDOWS\SYSTEM\TOOLBARSCH.DLL
C:\WINDOWS\SYSTEM\TBSRCH.DLL
C:\WINDOWS\SYSTEM\TBSCH.DLL

you might try a online scan here:

ESET online scanner:



http://www.eset.com/onlinescan/



uses Internet Explorer only

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

check both "Remove found threats" and "Scan unwanted applications"

click scan

when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

please copy/paste that log in next reply.

Hello

Thanks for the ongoing assistance.

A reformat and cleanout of old software would probably be a good thing, but I guess, as always a last resort. My hard drive is about 3 years old.

It appears SUPERAntiSpyware got rid of all the suspect DLL files as a safe mode search produced nothing. In fact it does seem to be running faster. I have been unable to run the Eset online scanner, it has come up with an error three times at about 80% of the initialisation phase. I normally use Opera browser but used IE 5.5 for this. Although the Eset site gives IE 5.5 in the specification page it lists IE 6 under the documentation. I did try it successfully with IE 7 on my Vista machine.

I am reluctant to install a later IE but probably could if this would help.

Do the HKLM\SOFTWARE\Microsoft\MSSMGR registry entries indicate a problem or is this a false trail? If I remove this key with regedit it reappears with the below programs running. If any of these look suspicious I'd be happy to remove them or reinstall them.


Kernel32.dll 4.10.2222 Microsoft Corporation Win32 Kernel core component C:\WINDOWS\SYSTEM\Kernel32.dll 4.3 Microsoft(R) Windows(R) Operating System
MSGSRV32.EXE 4.10.2222 Microsoft Corporation Windows 32-bit VxD Message Server C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.0 Microsoft(R) Windows(R) Operating System
Mprexe.exe 4.10.1998 Microsoft Corporation WIN32 Network Interface Service Process C:\WINDOWS\SYSTEM\Mprexe.exe 4.0 Microsoft(R) Windows(R) Operating System
MMTASK.TSK 4.03.1998 Microsoft Corporation Multimedia background task support module C:\WINDOWS\SYSTEM\MMTASK.TSK 4.0 Microsoft Windows
Ashserv.exe 4, 8, 1169, 0 ALWIL Software avast! antivirus service C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\Ashserv.exe 4.0 avast! Antivirus
Explorer.exe 4.72.3612.1700 Microsoft Corporation Windows Explorer C:\WINDOWS\Explorer.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Rpcss.exe 4.71.2900 Microsoft Corporation Distributed COM Services C:\WINDOWS\SYSTEM\Rpcss.exe 4.0 Microsoft(R) Windows NT(TM) Operating System
Ashwebsv.exe 4, 8, 1169, 0 ALWIL Software avast! Web Scanner C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\Ashwebsv.exe 4.0 avast! Antivirus
Echoctrl.exe 1, 0, 0, 1 0 EchoCtrl MFC Application C:\C-MEDIA\BIN\Echoctrl.exe 4.0 EchoCtrl Application
Mixer.exe 1.26g C-Media Electronic Inc. Mixer C:\WINDOWS\Mixer.exe 4.0 Mixer
Tinyspell.exe 1.4 KEDMI Scientific Computing tinySpell C:\PROGRAM FILES\TINYSPELL\Tinyspell.exe 4.0 tinySpell
Teatimer.exe 1, 6, 0, 20 Safer Networking Limited System settings protector C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\Teatimer.exe 4.0 Spybot - Search & Destroy
Superantispyware.exe 4, 15, 0, 1000 SUPERAntiSpyware.com SUPERAntiSpyware C:\PROGRAM FILES\SUPERANTISPYWARE\Superantispyware.exe 4.0 SUPERAntiSpyware
Msinfo32.exe 4.10.2222 Microsoft Corporation MSInfo32 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\Msinfo32.exe 4.0 Microsoft System Information
Regedit.exe 4.10.1998 Microsoft Corporation Registry Editor C:\WINDOWS\Regedit.exe 4.0 Microsoft(R) Windows(R) Operating System

hi,

thanks for the info. i wouldnt remove any registry entries. Dr.Web is worth a try, runs on w98. did you run cleanmgr? you can follow these directions on the use of Dr. Web CureIt:


http://www.bleepingcomputer.com/forums/index.php?showtopic=75739&st=0&p=416902&#entry416902

Hello again

Dr Web looked very promosing. After a 9 hour scan it had found 36 suspect items, including a DLL file in win/System folder. But that figure does include quarantined files that I guess I should have erased earlier. Unfortunately at the very end it froze the machine and left a 20megbyte log file that I was unable to open. I panicked and restarted it for a smaller scan which over-wrote the log file. However, a manual inspection showed it had got rid of the DLL file, so I assume also the others it found.

The bad news is Spybot still reports Virtumonde?

Any suggestions. Perhaps I'll just have to reformat?

hi oldie98,

that blows, freezing at the very end of 9 hrs. I was only suggesting a reformat because of the age of your OS. a reformat every few years can do wonders, but you said your hd was only 3 years old so i assume you re-installed w98 then and not 10 or so years ago.
if the spybot scan provides the path to the .dll or the .exe you can go after and delete them manually. most likely registry entries are harmless leftovers if the dll's and the .exe's are gone

you can also try this, not sure if it works on w98. couldnt find any info at the website about system requirements. worth a shot anyway:

download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Hello

Below Vundofix & HJT logs. I ran Vundofix before my initial posting with the same results ie nothing found.

* * Vundofix.txt * *

Beginning removal...

Beginning removal...

* * HJT.log * *

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:21 PM, on 09-08-08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\C-MEDIA\BIN\ECHOCTRL.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\TINYSPELL\TINYSPELL.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/myhome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=adext-localhost:8882
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [C-Media Echo Control] c:\c-media\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [tinySpell] C:\PROGRAM FILES\TINYSPELL\TINYSPELL.EXE
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [tinySpell] C:\PROGRAM FILES\TINYSPELL\TINYSPELL.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Download Express: download this file - E:\Download Express\Add_Url.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O12 - Plugin for .dwg: c:\program files\opera8\PLUGINS\npdwg32.dll
O12 - Plugin for .dxf: c:\program files\opera8\PLUGINS\npdwg32.dll
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file://H:\controls\sdkinst.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 4333 bytes

hi,

vundofix.exe: my bad. you already ran it. is spybot just finding registry entries after a scan? other than what spybots find, any other problems like pop ups or page redirections when your browsing?

Hello again

Well I think I might have some good news. But first to answer your questions.

W98 was reinstalled with the new HD, I have tried not to use the W98 machine since posting in case it contributed to the problems. So have used the Vista machine for downloading files (except the OnLineScan) and transfered them with a USB stick. My Opera browser blocks unwanted pop-ups (how it knows wanted from unwanted, I've no idea) and gives me a short time to accept them, I don't! This may have happened bit more in the last two months or so. I'm not sure? Yes, the only idication is both Spybot and SUPERAntiSpyware finding a suspect reg entry?

I have done a bit of sleuthing and a Spybot log 21/7 found Virtumone Settings while the previous log 10/7, was clear. So I must have caught it during this time, which seems to fit with my machine slowing down. Both Spybot and SUPERAntiSpyware pointed to reg entry HKLM\SOFTWARE\Microsoft\MSSMGR (6 entries) and both removed this, but it re-appeared a short time later. So something loaded or running must initiated it?

However, I have just run SUPERAntiSpyware again which found and deleted the above, and so far, after two reboots, it has not come back. So I am keeping my fingers crossed. I think this is the first time I have run SUPERAntiSpyware since Dr Web, so perhaps DW removed the problem but left the reg entries when it froze? I think one of the files it removed was 'windvw32.dll' dated 20/7, unfortunately I lost the log file, but in hindsight notice it's the 9th O4 item in my first HJT file but not in the second. I have checked moded files of that date and see I downloaded some small Nero files and also tried uTorrent? That was a bad idea? There are also a number of *.ico files in my browser's folder with that date. So perhaps it came in via one of these.

Here's hoping its fixed, it is certainly faster.

I will post again in a couple of days time to report whether or not its gone.

Thank you very much for your help, much appreciated.

hi oldie98,

ok good.your welcome- making progress. registry entries can be harmless leftovers in some cases. you could try Dr. Web again.


also tried uTorrent
there is much malware distributed on p2p networks. The fact is it can be used safely, i use p2p everyday. however, for the most part people that post in malware removal forums are not the most computer/malware savvy and probably shouldn't be using a p2p client as they no doubt have plenty of other opportunities to get malware and do not need another source.

you certainly appear not to be one of these posters.
i have some p2p info on my website. its not a "how to" guide but just information.

http://www.virusvault.us/p2p.html

old site, much the same info;
http://www.nutnworks.com/SafeHex/file_sharing.htm

We seem to have cured the patient! Have run Dr Web, Spybot and SUPERAntiSpyware, showing all clear, so am confident it is now clean. This should equip me better against any future problems.

Thank you for the P2P links. I apologise for casting ignorant aspersions on uTorrent. As always it's not the technology but how its used or misused that's the problem. Have noticed lots of larger downloads are available via torrent so may get brave and have a cautious look in the future.

hi oldie98,

ok good. glad to help. no need to apologize. Good luck with vista, must seem light years away from W98.


As always it's not the technology but how its used or misused that's the problem.so true.

sorry no one gets away without this:

My Top Ten
The Short Version:

1) Keep your OS, (Windows) browser (IE, FireFox) and software up to date.
2) Know what you are installing to your computer. Alot of software can come with add-ons. Do you trust the source?
3) Install, keep updated: antivirus and two anti-malware applications.
4) Don't click on ads/pop ups or offers from websites to install software.
5) Don't click on offers to "scan" your computer.
6) Don't click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting the message. Do you trust the source?
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez, crack sites or p2p networks you are much more likely to encounter malicious code. Do you trust the source?

longer version in link below

happy safe surfing