Ok i rebooted my sytem and immediately after my icons showed up i opned my task manager. Here are some of the programs I saw: Pcciomon, Rundll32, Qttask, Taskmon, and <unknown> . I also saw Scanregw but from wat u guys told me it doesnt matter. Can you guys play look into this and see if theres anything i can do to manually delete these viruses or give me a link to a place that deletes viruses, parasites, and trojans. Ok thanks. Any help will be appreciated.

0

Aw, Mesich - likewise (and then some) Yes, CoolWebSearch is one of the nastier ones - thankfully we have Merijn's Shredder. Sorry about my earlier bad advice - a virus scan is still indicated, although you'll need someone more conversant with IE to advise you on your security settings. Scanregw does matter - as Mesich pointed out, it should execute and exit - yours may be an imposter. Some various sites to check your running programs list: TaskList Sysinfo Startup List We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

Hi Greg, jboy, hello everyone I highly suggest getting the On-Line Virus Scan completed. Try the following and then running the scan: In Internet Explorer select Tools and Internet Options Click on the Security tab Select the globe icon named Internet Zone Click on Custom Level Scroll down to the ActiveX controls and plug-ins section Under Download signed ActiveX contols select Prompt Under Run ActiveX controls and plug-ins select Enable Under Script ActiveX controls marked safe for scripting select Enable Click OK Click OK Before performing the above and running the virus scan post back with a hijackthis log. It will allow us to see the registry entries if they exist that are referenced in msconfig-startup. You can get here. Best Regards, Mesich

0

PCCIOMon.exe: Real-time background antivirus scanning task from the PC-cillin antivirus software Qttask: System Tray access to Apple's "Quick Time" viewer from version 5 onwards <unknown> seems suspicious(?) Taskmon: Related to the W32.MyDoom virus. Located in "C:\Windows\System\" on Windows 95/98/Me That one could be bad - if it's in c:\windows then it's a normal (although possibly unwanted) process. We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

This is what I got for hijackthis: Logfile of HijackThis v1.97.7 Scan saved at 6:15:56 PM, on 6/16/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.exe C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\TASKMON.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\D\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\STOPZILLABHO.DLL O2 - BHO: (no name) - {C6EA5A8D-8B01-4498-8B9A-B40AA281035F} - C:\PROGRAM FILES\RETSINA SOFTWARE\IEJET\POPKILLER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe" O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe" O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.exe" O9 - Extra button: IEJet (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: WeatherBug (HKCU) O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab? O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37956.1962152778 O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01a533f7b49a70b4b816/netzip/RdxIE601.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.127.198.4,63.240.76.4

0

Mesich can best advise - although I believe any references to sp.html are suspect. We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

Ok heres a log on wat ive solved so far. I got rid of CWS. I found out that all i have to do is wait a couple of seconds when i reboot and then when i check my tasks, none of the ones i wrote before appear, which is good. I just want to know from mesich wat i have to delete from my hijack this log. Rite now im gonna go try to do that On-Line Virus Scanner thing. Thanks guys for all your help both of you have been very helpful so far.

0

Hi Greg, jboy, hello everyone As usual jboy is on top of it. :-) The sp.html files are bad. Don't do anything with them yet as I would like a copy of it. :-) Email it to me using the address after clicking on my name. I had a copy of it before but didn't save it after a format. After emailing me the file try what I said in response #9 and running the on-line scan. I'll look over your log while you are running the scan and between all of us we'll get the issue resolve. :-) Best Regards, Mesich

0

Ok we still have a problem. Mesich: when you told me to do all that security stuff, watever you told me to do was already like that in the settings. But i still get that message whenever I want to take the Scan. What should i do know. Also on some other pages ive been to i get the same message. Try and help please. Thanks.

0

Hi Greg, jboy, hello everyone Let's not worry about the ActiveX for the moment and concentrate on getting rid of the items listed within your log file. I am going over it right now. Meantime, can you send me a copy of the sp.html file? Best Regards, Mesich

0

Hi Greg, jboy, hello everyone Remove the following items using hijackthis: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html Restart the computer and go to C:\Windows\Temp, and delete all of the files from that folder. Going to sit down for some dinner and will check back in just a bit. Best Regards, Mesich

0

I went to C:\Windows\Temp and deleted every file except for Cookies, History, and Temporary Internet Files. it did not let me delete a file called MiniBugInstaller. Please let me know if i need the files Cookies, History, and Temporary Internet Files. Im not sure if i need them but they kinda sound important.

0

By the way where can i find the sp.html file??

0

If it exists, it would be in C:\WINDOWS\TEMP (as indicated by the HJT! log) although it sounds like you may have already deleted it (recycle bin?) If you checked the appropriate boxes when you ran HiJackThis! and chose 'fix selected' then references to the offending file would have been removed from your registry as well. Minibuginstaller would seem to have to do with your 'weatherbug' installation - although I'm unsure why it would remain in the temp directory. Generally files are 'undeletable' if they are in use by Windows - which can usually be gotten around by deleting while in Safe Mode (or DOS) Cookies, while not strictly necessary can be helpful in storing your preferences and logins for various websites (like this one) but also can be used for tracking purposes. I wouldn't worry overly much - run Ad-aware to rid yourself of the less desirable ones. We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

That sp.html hijacker may be getting more common. This thread from a few days ago concerned it also: http://computing.net/windows95/wwwboard/forum/159270.html

0

Yes, I thought I'd only recently read about this one, that must've been it - although anything launching from the temp directory has to be viewed with a certain suspicion.

0

I need a question answered should I delete sp.html or not?

0

Email it to Mesich first, for his 'bug collection' We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

Yes, but exactly how do I do that.

0

Click on his name to get the address, and email as an attachment? We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

Ok i sent it to mesich. Im waiting for his reply.

0

Good stuff - I'm sure he'll appreciate it. We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

Hi Greg, jboy, DAVEINCAPS, hello everyone Greg, I got your email however there was no file attatched. Here is the entire content of your email: C:\WINDOWS\TEMP\sp.html Type this in as a website link. Im lookind forward to your help. Thanks Unfortunately there was not a link provided. I have to get up very early in the morning so don't worry about sending the file. I'll see if I can't hunt it up on one of the backup CD I created or from some backup email when it was sent from someone else. Remove the files as suggested by jboy and you should be good to go. Nothing else in the hijackthis log that is of concern. Best Regards, Mesich

0

OK so jboy, what files did u tell me to delete again. My head is all mixed up.

0

Thanks everybody for all yer help. jboy and mesich, you guys were really helpful. I would be no where without you guys. Just one last question. I still need help fixing my ActionX problem. So mesich, when u have the time, can u help me fix that problem? Thanks again everyone.

0

Glad we could be of assistance. Your ActiveX Control settings aren't necessarily a problem, they just prevent you from accessing certain online services such as that AV site. You'll likely get it sorted eventually, meanwhile, keep your PC-Cillin up to date to guard against virus, and look into Ad-aware and Spybot S&D for other threats. We have nothing against ideas. We're against people spreading them. - General Augusto Pinochet of Chile

0

From the IE toolbar go to TOOLS--INTERNET OPTIONS--SECURITY. If you lower the security level you shouldn't get that message. After the virus scan it would be a good idea to raise the level again to what it was before the scan.

0

Doesnt work when i change the level to low, I press OK. Then when i checked the level again it was back as medium.

0

Sorry Mesich, I see you covered that in #9 above. One of these days I'll actually start reading the posts instead of relying on my vast psychic abilities.

0

On mine, I lowered to to LOW and hit apply and OK and it held that setting. You may need to check the custom levels as Mesich mentions in #9.

0

Sorry i misunderstood. I got it now. But even on low the scan still does not work. Thank you for you help DAVEINCAPS.

0

I thought that would have done it. Maybe you need to open a new IE window or even reboot after making the change.

0

I misunderstood before. thank you very much. But the scan still does not work but thats ok becuz i think im all good. Thanks again. And Mesich and jboy, I am forever in your debt. If i need more help I will post back here knowing that I will find great infromation.

0

Ok i rebooted my system and went on the internet and guess what? CWS was back. I ran CWShredder and got rid of it. Now i wanna know how to keep it from getting back on my system. I know it gives me two links but i need instruction on wat to do. Thanks.

0

I have yet another problem. My security settings are all screwed up. Can someone plz post what each level is supposed to be.

0