There are some suspicious things going on with a computer here. Please look at the following HJT log for any nasties.

Logfile of HijackThis v1.98.2
Scan saved at 4:21:38 PM, on 8/23/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: HighStream Turbo.lnk = C:\WINDOWS\EXPLORER.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\PROGRA~1\WINZIP\wzqkpick.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: WebMaster ChatNow Client - http://68.16.242.2:8000/java/chatnow.cab

Hi Relztrah,

That log looks pretty clean. I can't identify this entry:

O4 - Startup: HighStream Turbo.lnk = C:\WINDOWS\EXPLORER.EXE

What kinds of problems are you having?

I believe Highstream is his ISP.

I'm curious about why he has LoadPowerProfile twice, when, if memory serves me, it isn't even essential, is that correct?

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

Please tell-- what are the specific symptoms?

Even if this is an ISP, there is no reason for it to be running here:

O4 - Startup: HighStream Turbo.lnk = C:\WINDOWS\EXPLORER.EXE

The other items you mention Donn are legit and optional...

Symptoms would be helpful....

Donn,

It's common to find LoadPowerProfile listed twice on a Win 98 machine.

That 04 entry is odd though.

Highstrem is the e-mail service that the woman using this computer uses. She goes to their Web page and checks her e-mail online. So perhaps it puts something in the registry???

The only suspicious thing I noticed is that the home page moved which to me is always a sign of spyware. I installed and ran Spyware Blaster, Ad-Aware and Spybot S&D so maybe that got rid of it.

Thanks,
Relztrah

OK. That explains the 04 entry. The log looks good. Running updated AdAware and Spybot scans clears alot of problems. As long as the start page stays where you want it, I'd say your looking good.