I have a machine that I am using AVG with and it is reporting a lot of files with the GaelicumA virus but AVG does not seem to remove it. I have also tried SQUARED-A with no success. I wanted to try Trend Micro's online scan but I am unable to load Java as it fails every time I try to install it.

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified.

Please download HJTsetup.exe from this link http://www.thespykiller.co.uk/files/HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click "next" in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by "Create a desktop icon" then click "Next" again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click "Finish" and it will launch Hijack This.
Click on the "Do a system scan and save a logfile" button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log and post it in this thread.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Are you trying to install this Java ( I use it )
http://java.com/en/index.jsp
Plenty of other online sites.
Here are a range of free online sites to cleanup your comp. Use at least 2 from each group.
http://kaspersky.com/kos/english/kavwebscan.html
http://www3.ca.com/virusinfo/virusscan.aspx
http://housecall.antivirus.com/
http://www.coledata.com/virusalert.htm
http://www.cybertechhelp.com/html/misc/av.php
http://www.pandasoftware.com/products/spyxposer/com/spyxposer_principal?NRMODE=Published&NRORIGINALURL=%2fproducts%2fspyxposer%2f&NRNODEGUID=%7bAD6F1F54-25E0-4160-81ED-7F8C6F9C77ED%7d&NRCACHEHINT=Guest/
http://www.pandasoftware.es/activescan/activescan-com.asp
http://www.bitdefender.com/
http://www.pcpitstop.com/antivirus/default.asp
http://virusscan.jotti.dhs.org/
http://virusscan.jotti.org/
http://www.virustotal.com/flash/index_en.html
DrWeb CureIT
http://www.klitetools.com/comments.php?id=2088&catid=46&highlight=Dr.Web+CureIT%21
http://www.klitetools.com/comments.php?catid=46&shownews=2088
http://download.drweb.com/win/



Free online trojan scan
http://www.trojanscan.com/
http://www.pcflank.com/
http://www.spywareinfo.com/xscan.php
http://www.windowsecurity.com/trojanscan/



Free online Spyware detector
http://www.pestscan.com/
http://home.ca.com/dr/v2/ec_main.entry25?page=freePestPatrolScan&client=ComputerAssociates&sid=35715&CID=188513
http://www.spywareguide.com/txt_onlinescan.html
http://www.webroot.com/services/spyaudit_03.htm
http://download.zonelabs.com/bin/promotions/spywaredetector/index_za.html
Or,
http://www.spywareinfo.com/xscan.php
Screen for Adware, Spyware, Scumware, Diallers, ’Jackers and other unsolicited commercial software.
This scanner is an ActiveX applet. After a short delay in which your browser downloads the control file, you will receive a "Warning Dialogue" requesting permission for the scanner to run. Click "Yes" and the applet will pop up and scan. You will be alerted if any spyware is found. When a spyware or malware is found, you will be alerted and asked if you want to remove it. If no spyware is found, the scanner will disappear on its own.
If nothing happens, or if you are using a browser other than Internet Explorer, click here and choose either "Open" or "Run this program from its current location". Do not choose "Download". http://www.xblock.com/download/xclean_micro.exe

Here is the log from hijackthis;

Logfile of HijackThis v1.99.1
Scan saved at 7:52:33 PM, on 15/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
F1 - win.ini: run=c:\windows\speedy.pif
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Spees1] C:\WINDOWS\Speedy.scr
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually, when it boots follow any prompts.

Or follow these directions to boot into safe mode. How to boot into safe mode

Once in safe mode run Hijack This, close all windows except Hijack This, then place a check to the left of the following items and press "fix checked":

F1 - win.ini: run=c:\windows\speedy.pif

O4 - HKLM\..\Run: [Spees1] C:\WINDOWS\Speedy.scr

Exit Hijack This but remain in safe mode

Navigate to and delete thes files if found:

c:\windows\speedy.pif

C:\WINDOWS\Speedy.scr

Reboot to normal mode.

Go start> settings> control panel> Internet Options > General tab. Delete temporary internet files - choose 'delete all Offline content'. Clear out all Cookies other than those needed for logon.
Empty the C:\Windows\temp folder and C:\temp folder, if you have one. Empty Recycle
Bin ( make sure there is nothing in there you need).

Run this free online scan from Panda

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

I ran the hijack in safe mode, fixed the two entries, rebooted to normal mode, deleted cookies, and tempoarary files including offline content. I then deleted everything from the windows temp direcory except for the directories temporary internet files, history and cookies. I then went to pandasoftware to run the scan. I clicked on scan free and and another window comes up asking me for my country, provinve and email and another scan button. I filled out the 3 fields and click the scan button but nothing happens.

I should also mention that even before I did the stuff you asked me to do, I am getting a message when I go to web sites that seem to need to download something. The message is 'To display this page correctly you need to download and install the following component.

loading.....please wait

It never gives me a component name. Instead I get another window that says;

Installation of the coponent failed. Please try again later or choose windows update under the internet explorer tools menu to install this component.

I tried to go to windows update and I get the same two dialogue boxes. I continued and tried to scan for updates but the page never goes above 0%.

I searched the registry and found another entry to speedy.scr so I deleted it.

Sound like your java needs to be updated so that active x will work. This could be an all night download for dial-up. Should an interuption occur just go back and restart the download, it should pick back up at the point of interuption and continue to download.

Go to the following link http://www.java.com/en/download/index.jsp and download Java Runtime Environment Version 5.0 Update 6 then try to run Panda again.

I tried installing java before but everytime I try I get the following message;

To restart the Java(TM) installer, please refresh the web page.

Is it time for me to just bite the bullet and format and reinstall?

Please try to download it from the link provided. It sounds as though you may have been on old version 1.4 web start page although I can't be sure.

I wouldn't format just yet. Before you try the download post a new Hijack This log please.

Hi Jabuck,

I did try to download it from exactly yhr link you gave me. Would it be worth it to try download it on another machine and then copy it to this machine and try install.

Here is the latest hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 6:07:11 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\A2GUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
F1 - win.ini: run=c:\windows\natal!.pif
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Jabuck,

I tried a different approach. I went to the java link you gave me and did a manual download. I downloaded and saved the offline install (16MB). When I try to run this it starts to install but gets to a point where it says configuring windows installer. After about 15 seconds the install quits.

The virus is mutating as shown on your Hijack this log here:

F1 - win.ini: run=c:\windows\natal!.pif

This program, DR. Web. CureIT (as Johnw mentioned above), should run on 98 so run it.

Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop.

I downloaded and ran CureIT. It did not find any viruses in memory. It is scanning all the drives now but it is taking quite a while. Interesting enough it hasn't found anything yet. Could it be that AVG is wrongly reporting viruses. For the most part the machine is running fine other than AVG keeps reporting files with viruses.

CureIT finished with no viruses found.

No,it's definitly a worm.

After the Dr.Web CureIT program is through go to start> settings>control panel> folder optioins> Select the View Tab> In the Hidden files section select Show all files> Click OK.

Reboot to safe mode and run hijack this and remove this item:

F1 - win.ini: run=c:\windows\natal!.pif

Exit Hijack This.

Navigate to and delete these files if found:

c:\windows\natal!.pif

c:\windows\natsin.gay

c:\windows\natsout.gay

c:\windows\newton.gay

c:\windows\natlog

c:\windows\natlog2

Next open notepad (Start Menu > Run > Type "notepad" without the quotes and press "ok".

Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "4wd!!!"=-

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"ScrSvrOld"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Goto File on the top bar and choose Save As, Change the Save As Type to All Files, Name it Fix.reg then save it to your desktop.

Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes and the reg entry should be removed.

Post a new Hijack This log please

I had already removed the natal!.pif using hijack this when I found it before. I hope this was okay. There are no files in the windows directory that begin with nat* or new*.

Sorry is the last character in the reg entries a dash or an uderscore?

A dash. Did you remove the .pif file?

Yes I did.

Here is the new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:41:12 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

Well the log looks clean. Could you restart the computer and post a new Hijack This log.

Then try downloading java from this link http://www.java.com/en/download/windows_ie.jsp

I tried downloading java again. This is the url I ended up at;

http://www.java.com/en/download/win...

Agin I got the same message about refreshing the web page to restart the java installer.

Here is a new hijack log;

Logfile of HijackThis v1.99.1
Scan saved at 11:07:19 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://

jabuck, I would fix this.
O13 - WWW. Prefix: http://

What do you think?

Yes, technically all 013's should be removed.

I removed the 013 but I am still unable to install java.

Here is the latest hijack log file.

Logfile of HijackThis v1.99.1
Scan saved at 11:38:54 PM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Put the exact Java error message into a search engine such as Google.
You may be able to get more info from the Event viewer.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308427

bccamper said > I tried downloading java again. This is the url I ended up at;
http://www.java.com/en/download/win...
Did you follow the instructions on that page.
If you encounter an error, check the top of the browser (see image above) for a yellow bar that reads "This site might require the following ActiveX control: J2SE Runtime Environment 5.0 Update 6 from 'Sun Microsystems, Inc.'. Click here to install..." Click the yellow bar and choose "Install ActiveX Control..." to allow installation to proceed.

JohnW said:

"Put the exact Java error message into a search engine such as Google.
You may be able to get more info from the Event viewer.
HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/defaul...

Johnw, in the HJT log he has Windows 98SE , not Windows XP, if 98SE had a Event viewer, I actually would be amazed.

Im like curious george, but my names nick

Repair the internet explorer by following the directions at this link http://support.microsoft.com/kb/194177/

Maybe the defaults for active x need to be reset and this sould do it.

Try running the panda scan in response #4 after doing the above.

Hi guys,

I have some things to do today so I won't be able to get back to this until later tonight or tomorrow. I will try fixing the internet explorer and see what happens.

bccamper said > I will try fixing the internet explorer and see what happens.

As you are using IE6, to me it appears a simple matter of clicking on the yellow bar & giving your popup blocker permission.

I am not at the machine right now but no that isn't that the problem. On the java download page they referred to that as a possibility and I am familiar with the yellow bar that wants to download an active x control. However I have only ever seen that in WinXP.

Repair the internet explorer by following the directions at this link http://support.microsoft.com/kb/194...

This article refers to IE 5. I am running ie 6. Is the article still valid to use?

The repair works the same way for IE 5.0, 5.5 and 6.0.

It tells me that IE cannot be repaired. Please run setup again to reinstall all components. Should I download IE 6 again and reinstall?

Yes, I would reinstall IE6.0.

Read the link below in the paragraph headed "INTERNET EXPLORER IE6 SP1" at the following link http://www.annoyances.org/exec/forum/win98/1084434913 compliments of "MAC".

You may want to post on the 98 forum to see if there may be a better updated method but this was the most reliable for me while running ME or 98.

Jabuck,

I reinstalled IE 6 and now I am able to run the scan from panda. I'll let you know what happens.

Ok, that is good to hear.

I am calling it a night so just post the results and I'll review them in the morning.

Here is the panda log;

Incident Status Location

Spyware:spyware/harnig Not disinfected c:\windows\LOAD.EXE
Spyware:Cookie/Tribalfusion Not disinfected C:\Windows\TEMP\Cookies\anyuser@tribalfusion[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Windows\TEMP\Cookies\anyuser@ads.pointroll[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Windows\TEMP\Cookies\anyuser@com[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Windows\TEMP\Cookies\steve@tribalfusion[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Windows\TEMP\Cookies\steve@2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Windows\TEMP\Cookies\anyuser@2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Windows\TEMP\Cookies\anyuser@microsofteup.112.2o7[1].txt

REboot into safe mode.

Navigater eto and delete this file if found:

c:\windows\LOAD.EXE

Set up the computer to view hidden files.

morning Jabuck,

I wanted to add that I was also able to get the windows update to come up and install every update that was available other than the language updates. I will remove the load.exe. Any idea why panada did not report the files as having viruses when AVG does. I should add too, the amount of times AVG pops up showing a file having a virus, seems to be decreasing.

Load.exe is the virus (Nimda-A Worm most likely). Needs to be removed right away.

Once you remove it run the panda scan again and post the results please.

Hi jabuck,

I deleted the load.exe and now I am trying to run the panda scan again. I am getting the following error;

An error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try again

Possible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

I am going to try and reboot but I doubt that is going to help.

I am including another HJT log for you to view;

Logfile of HijackThis v1.99.1
Scan saved at 4:28:17 PM, on 19/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/active...

Try repairing IE 6.0 again, the virus may have been corrupting it. I don't see anything in the Hijack This log that looks like a problem.

Damn I repaired IE, rebooted and Panda still won't run. What now?

Jabuck,

Sorry I have to go for a family emergency. I will be back later.

Hi Jabuck,

Sorry I ended up with two family members in the hospital, one seriously. I hope to get back to this machien tonight. I hope you are still around to help me.

Jabuck,

I finally got back to looking at this machine tonight. I tried to run Panda and was unsuccessful with the same issue as before. I tried downloading and installing Java, again with the same problem as before. So I then tried to reinstall IE 6.0. Now when I restart the computer it gets to a point where it just seems to hang. If I go to to task manager the only process is explorer and it does not say it is not responding. I hope you are still around to try and help me. Sorry I had to abandon this form for a while.

What has happened is that when you "updated" after reinstalling IE6.0 a file was overwritten causing the same problem. Are you using the computer now to post the last message?

No I am using a different computer.

Am I now at the point that I have to bite the bullet and rebuild the machine from scratch?

Jabuck,

I did an over the top install of Win98 and I can now get windows started again. So I am now back to the point where I had to leave for the family emergency.

Here is a new Hijack log

ogfile of HijackThis v1.99.1
Scan saved at 1:52:22 PM, on 07/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winse...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winse...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\sc