hi there folks, I've not been around for a while due to pressures of other things, but have looked in now and again.
I have just been attacked by a virus, so my main pc is down & I'm on my laptop.
the first sign was that zone alarm reported a changed prog when outlook attempted to access the net. avg was run & restart.exe was found and 'vaulted' there were 2 other restarts in there from previous attacks which I had long forgotten. so I deleted all 3. avg was run again & came up clear. I ran ad aware (clear) then easy clean then windows update, however I still had my suspicions as the pc refused on 2 occasions to boot up & then the internet was freezing the screen. requiring a re-boot. I did an online scan from housecall which found JAVA BYTEVER.A which it could not clean but deleted. I googled this virus & checked for any infected files, but there were none. the pc seemed to run ok, then the problems started again, there is nothing found by avg or adaware. & zone alarm now reports bt dialler (my normal provider) as a new program, so I refused permission for it to access. & got onto the web by wanadoo (isp kept in reserve) but I cannot get a housecall virus check as the screen freezes so far through it. I have windows on its own partition (C) & have a copy of that partition (although it is some months old) I am thinking of copying my emails to a pst file, then formatting the partition and copying over the backup using seagate hdd utility, the only things are that I will have some updating to do, but more importantly I am a little concerned as outlook seems to be amongst the affected items. and at this point the virus/malware has not been identified.

luckily my documents and other data are on other partitions.

I am looking for some thoughts suggestions and advice.

Hijack this time, methinks!
Please download http://www.merijn.org/files/hijackthis.zip
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan and save log".

When the scan is finished, the log will open in Notepad. Do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

hi david.

thanks for the quick reply. log follows...,,,


Logfile of HijackThis v1.99.1
Scan saved at 22:48:19, on 03/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CARD READER\SHWICON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\U-STORAGE TOOLS2.70\USTORAGE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [ShowIcon_The Company_USB Storage Device Ver. 1.3] "C:\Program Files\Card Reader\shwicon.exe" -t"The Company\USB Storage Device Ver. 1.3"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [USTORAG] c:\program files\u-storage tools2.70\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.70
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - Startup: MRU-Blaster.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\SYSTEM\MetaProducts\Add_Url.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: PRDIE - {CD996360-E11A-11D7-AFC5-444553540000} - C:\PROGRAM FILES\PRIVACY DEFENDER\PRD.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - [url]http://register.btinternet.com/templates/btwebcontrol023.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url]
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - [url]http://www.pcpitstop.com/antivirus/PCPAV.CAB[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - [url]http://www.drivershq.com/DD_v4.CAB[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/msnmessengersetupdownloader.cab[/url]
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [url]http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c5.cab[/url]

Nothing obvious in your log.
Try using the BT dialler again, and permitting it access if Zonealarm pops up a warning. See if that will allow you to complete a scan at housecall.

za has been updated, which I forgot about in the confusion, I am pretty sure that is why the new prog messages. anyway I have given bt access, but the online scan only runs about half way then the screen freezes. I tried another online scan, but it stopped at '32 files scanned'.

You could try downloading something like stinger, disabling system restore, boot into safe mode and scan your system - this may help.

edit................Or I could try reading the HT log and realise you are using Win 98!

try running the new ad aware: http://www.lavasoftusa.com/software/adaware/

I think blasters a trojan that' "supposed" to help...others disagree....also, I'd loose the toolbars to google, you need googgle alot just make it your start page.

;)

You have a few things that do need to be fixed in HJT... Please open a scan and put checks by:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c5.cab

Close all open windows except HJT and click Fix checked...

Reboot and post a fresh log... There are other scans we can run if you are still having problems...

I have 'repaired' the said items in hijack this, & have d/l 'd adaware se. which when run found 2 items ie;
winad - data miner - in windows/system/ide 21201.vxd
& url link (poss hijack attempt) in windows favourites.
I have eliminated these, but still the online anti-virus will not complete, but worse, pc now fails to boot, &/or freezes &/or graphics fail.
I will try again, & if successful will post the new hijack this log.

adaware se has since found 'alexa' which has now been eliminated. graphics have now come back to normal, but still freezing up when doing online scan or even highjack this. following scan achieved in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 22:14:35, on 06/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [ShowIcon_The Company_USB Storage Device Ver. 1.3] "C:\Program Files\Card Reader\shwicon.exe" -t"The Company\USB Storage Device Ver. 1.3"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [USTORAG] c:\program files\u-storage tools2.70\ustorage.exe sys_auto_run C:\PROGRAM FILES\U-STORAGE TOOLS2.70
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - Startup: MRU-Blaster.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\SYSTEM\MetaProducts\Add_Url.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL
O9 - Extra button: PRDIE - {CD996360-E11A-11D7-AFC5-444553540000} - C:\PROGRAM FILES\PRIVACY DEFENDER\PRD.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - [url]http://register.btinternet.com/templates/btwebcontrol023.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url]
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - [url]http://www.pcpitstop.com/antivirus/PCPAV.CAB[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - [url]http://www.drivershq.com/DD_v4.CAB[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/msnmessengersetupdownloader.cab[/url]
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - [url]http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab[/url]

Your log looks clean, so we need to go deep...

Try running an MWavScan... It will produce a log in the lower right hand corner and you will need to use Ctrl-C to copy the bottom part of it that has the bad items and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.

To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....

well after repeadely running progs like adaware, avg spybot etc, and finding alexa several times & deleting same, (others were found also but reported as not such a serious threat. all were deleted) yesterday the pc started to behave something like normally, my graphics etc. had now all returned to normal.
I ran the MWav scan which on the first scan found a virus (which I think was alexa) but the scan did not complete. running adaware again allowed me to delete the virus. & the last scan which managed to complete showed up 4 more viruses, but reported them as marked 'not a virus'
??????????????????
I then unzipped rootkit revealer, but the pc refused to reboot & when eventually it did the graphics had gone again. trying to open rootkit revealer results in 'program has performed an illegal operation' & I can no longer get onto the internet.
I have noticed a suspicious zip file in windows internet logs ie: VSMON_2nd_2005_05_07_14_55.dmp.zip & today I have recieved a suspected virus in mailwasher from 'The Support Team' telling me that I am sending out spam & to run the attached file 'setup.exe' to rid my pc of trojans.
Yes, well. aren't computers fun.

Well, I really hope you didn't run that 'setup.exe', if you did, you probably do have a trojan now...

I apologize about RootKitRevealer, it is not designed to run on Win98... It shouldn't have caused any problems though, it should have just failed to run...

Alexa is going to keep coming back if you use IE, it is pretty minor and comes with using IE...

It would help if you post the bad section of the MWavScan... I don't have a good picture of what is going on without the data...

I am not sure what this is, but it looks like it is probably a log that is zipped to send somewhere for the VSMon program:

VSMON_2nd_2005_05_07_14_55.dmp.zip

You can probably delete it if you can find it...

It might also be a good idea to run a trojan scan... Use the trial version of either TrojanHunter or TDS3... Be sure to update as you install and let it fix what it finds....

http://www.trojanhunter.com/

http://tds.diamondcs.com.au/

VSMON_2nd_2005_05_07_14_55.dmp.zip ...

is a ZoneAlarm log file. You should be able to delete it without problems.

I have not run 'setup.exe' it is still on the server viewable with mailwasher. vsmon has been deleted (thanks for the info steve, it was in fact with the za logs)

MWav results.

File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll tagged as not-a-virus:RiskWare.Dialer.BT.a. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\cssweb.dll infected by "not-a-virus:AdWare.CSSWeb.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\MP3 Player Tools V3.0\sys\ebd.cab tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File H:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.

END:::

the BT dialer could be the one for my ISP. but, there was an entry in h/j. of reinstall bt dialer. & it was the bt dialer that was one of the first notable effects. I do not know whether this is significant, it is just giving me a headache at the moment.

BTW. I am back online, but graphics have gone & although I am able to access housecall, the scan fails so far through without finishing which reqires a reboot.
I am still trying to figure out what it was that brought my graphics back yesterday.

There is one thing there that needs to be fixed... Use HJT to fix this:

O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/...cabs/cssweb.cab

Then find and delete this:

C:\WINDOWS\Downloaded Program Files\cssweb.dll

You have a number of optional programs running that could be causing some conflicts as well... If you still have problems after fixing this stuff, we can take a look at those...

trojan hunter found cssweb.100.dll & renamed same, I ran hijack this & fixed the other reference. I reset my graphics etc. & all seemed normal again. however ie caused a 'fatal exception' when I tried to connect, so I attempted a repair through add/remove, only for it to freeze part way through. on the 5th attempt the repair completed. but then I experienced freezing on boot up in mru scanner. eventually managed to boot, but am still getting fatal exeption on ie.
I am just doing an avg av scan & that too has frozen. (I am currently on laptop) in fact everything (after boot) is freezing.

One possibility is that you simply have a hardware problem... Have you tried just running the computer for a while without doing any security scans... If it works okay that way, it probably is still a security issue.... If it doesn't you may need to start checking for heat, power supply and so on to see if that is the problem...

How about running Windows "setup.exe" to "repair" the installation?
I doubt if it could do any harm and it may do some good.
At least it will make sure that all the necessary Windows files are present and no spurious effects from something like that are confusing the issue.

I'd have thought you'd have a clean backup you could restore [after a zero-fill, repartition & reformat]?
If that didn't fix it you'd KNOW it's not a software problem.

hi sylvander, how are you?

the system is possibly stable enough at present to run setup exe. so I might try that. I do have a backup which is now a few months old, I have not done a more recent one as nothing material has been added to. however there is a lot of email stuff in outlook which I need & therein lies the problem. however I did copy this to a Cd last night (would you believe 99Mb.) I'm just concerned that there are no nasties amongst that. I need to import that data to a spare pc just to check before I do anything else.

I managed to do a virus check at housecall last night which came uo clear & the pc was running ok. it did however freeze this evening on boot up, but is now working again. it seems that it doesn't like being checked but is ok otherwise.

most of my data is on other partitions & is backed up anyway, so my only concerns are the emails & addys.

Hi Vic, it was a pleasant surprise to see your name on a thread.
I decided to phone you but couldn't find your number.
Was I wrong in thinking I had that?

Nice to hear you have some options available for recovery. :)

Have you seen my saved spiel?

All the data I have that change day by day [or are considered vital] are re-homed on another physical drive [although another partition would do].
When I "jump back" I still have up to date:
a. My Documents. [Use “TweakUI” to move their home]
b. E-mails for all identities. [use the email client to move their home]
c. Internet Explorer Favourites. [Use “TweakUI” to move their home]
d. Temporary Internet Files. [use the browser (Internet Explorer) to move them]
e. Re-home the Windows Address Book as shown here http://tinyurl.com/24q6l . Use the key “HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab FileName” to specify its new address. [Its normal home address [in Win98] is C:\WINDOWS\Application Data\Microsoft\Address Book\(the name you gave your PC).WAB]
f. Any other storage of data files you wouldn’t want to “jump back”.

Since I composed that I've acquired a newer PC [still tinker with the old one].
On my old PC I used the old 1.2GB HDD to hold the above files, so I could repartition the master HDD and didn't lose any of it.
On this newer PC I only have one [new 80GB] internal HDD, but have acquired an external housing [connected using USB 2.0] and fitted the old 8GB IDE HDD into that to hold backups.

Do you have a means to scan the data on the CD for infection?
Since you have that backup you could begin anew.
Zero fill the drive & repartition [if you think it prudent], reformat, restore the clean backup, and copy over your data. It doesn't take too long to do. The zero fill may take longer than most, but you could do other things while that's in progress. It's all interesting anyway, and good practise.

There have been some weird & wonderful close shaves that my backups have got me out of. :)
I've never found myself in a software fix they couldn't help me escape from [where appropriate].
I was surprised to see you with the problem of an infection you couldn't easily solve. I thought you were a backup believer. :D

it seems a while now since we experimented with backups, & yes I still believe in them & it looks like you have gone a long way to establishing the principal which we were pursuing of having the o/s on 1 drive and everything else safely on another. the beauty of this is that a large drive can contain all of the valuable data whilst a small drive containing the o/s is the only one at risk, another small drive containing a replica can be stored for emergency & in any event it would not be such a big job to re-install the o/s.

my o/s is on a partition of my main drive (40Gb) & I have a 5Gb & an 8Gb each of which have a replica of the o/s which can be copied over using hdd manfs program (in this case seagate which is very good) but I did'nt get to safeguarding my emails (which were not at that time that all important) but due to other comitments I have not gone any further.

last night & tonight the pc 'seems' to be running reasonable, but I have always found that '98' on this pc (which I upgraded to 1200 when the m/b failed) will only run 2 -3 hours before it crashes anyway, but I think that there is too much scrap on it anyway as the other pc's here (notably 2 old compaqs) seem to go on indefinately without any probs.

I will see how it goes for a few days, then when all is settled (hopefully) I will look into moving 'The rest of the stuff' onto other partitions, I may still try using a small hdd as well (just for the o/s) providing I can find the time.

I'm pretty sure that you did have my phone number, as I seem to recall you ringing me whilst we were linked via messenger, & me being on dial up you just got the engaged tone (LOL)

I will email you, as I am sure that you have wondered where I have been.

"a small drive containing the o/s is the only one at risk"
I really like the idea of using a small, fast separate physical HDD to hold "Windows" and "Program Files".

"another small drive containing a replica can be stored for emergency & in any event it would not be such a big job to re-install the o/s."
I can see that this is low cost [the copying prog is free], but is it easy to do? You'd need 3 HDD's! Is it easy to reformat the Primary Master [yes] and copy the contents of the backup drive over to that? Or is it necessary to switch jumpers? [don't like that] And then you can only have 1 or 2 backups. With other methods you can make as many backups as you like. I have 3 on CD's, and more on the external [USB2 connected] HDD.
It would be great if an old small HDD could be put to use to hold the OS [but it's too slow methinks], and a new larger HDD used to hold all the data.
I see you are using 2 [older, slower?] HDD's to hold backup copies. Pretty good use for those eh? Some would say new drives are cheap to buy, but I hate to see the oldies go to waste.

"a small drive containing the o/s is the only one at risk"
I really like the idea of using a small, fast separate physical HDD to hold "Windows" and "Program Files".

"another small drive containing a replica can be stored for emergency & in any event it would not be such a big job to re-install the o/s."
I can see that this is low cost [the copying prog is free], but is it easy to do? You'd need 3 HDD's! Is it easy to reformat the Primary Master [yes] and copy the contents of the backup drive over to that? yes using hdd manf s/w. it probably helps if the hdd's are same make, mine aren't but haven't found any probs.Or is it necessary to switch jumpers? [don't like that] No, set them all to cable select.And then you can only have 1 or 2 backups. Why ?With other methods you can make as many backups as you like. I have 3 on CD's, and more on the external [USB2 connected] HDD. I still have bkps on CD & on other partitions.
It would be great if an old small HDD could be put to use to hold the OS [but it's too slow methinks], and a new larger HDD used to hold all the data.
I see you are using 2 [older, slower?] HDD's to hold backup copies. Pretty good use for those eh? Some would say new drives are cheap to buy, but I hate to see the oldies go to waste.I have also thought of dedicating hdd's to various tasks. eg: 1 for internet & email. another for general data. 1 for music. 1 for photo's 1` for games etc. this way none would get bogged down by loads of programs & (should) run smoother because of it. this would be easy to do (in my case) as I have no hdd fitted, just a home made shelf on the bottom which hold sthe hdd (temporalily) . I expect you to think "what about updating all the o/s's. as there would be one on each hdd" but would that be neccasary ? most of the updates that we do is to protect from the internet, so there not being internet access on these dedicated drives, why should they not continue to do whatever they have been doing ?