wizir01
asked on
Start button is not clickable; empty window appears on bottom of screen.
I signed up for this site last night and followed instructions in several posts. In short:
Some porn appeared on Thursday night. I ran Spybot and cleaned out some stuff. PC stopped responding on Friday afternoon. I rebooted in safe mode on Sat night. I ran Norton and found nothing. I found this site and found dpi and pcsvc. I tried to delete them. I then ran trend housecall and it cleared up some other stuff. I ran cwshredder; it found 3 things and advised me to update Windows 98 with security patches from Microsoft, which I did. I rebooted, but I still have some issues.
1) Start button is not clickable.
2) A small window appears on bottom of screen.
I ran hijack this and found the following; please help.
C:\PROGRAM FILES\HP\HPCORETECH\COMP\H PTSKMGR.EX E
C:\WINDOWS\SYSTEM\SPOOL32. EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\H PDARC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES. EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = about:blank
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchAssist ant = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,CustomizeSea rch = res://C:\PROGRA~1\TOOLBAR\ TOOLBAR.DL L/sa
N1 - Netscape 4: user_pref("browser.startup .homepage" , "http://yahoo.sbc.com/dsl"); (C:\Program Files\Netscape\Users\User1 \prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5 _1_6_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEH ELPER.OCX
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-1 53ED293D19 2} - C:\PROGRA~1\POPUPP~1\POPLI B.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHEL PER.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D D56626C6C4 2} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-0 0000000022 1} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.D LL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8 D32436323D 9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\SYSTEM\MSDXM.OC X
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2 9EA915965E C} - C:\PROGRA~1\TOOLBAR\TOOLBA R.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5 _1_6_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTE M\EM_EXEC. EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAP W32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi con.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK. EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E XE
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPM GR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KRUXBOILV] C:\WINDOWS\KRUXBOILV.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRu n
O4 - HKLM\..\Run: [O95WPP4XR.EXE] C:\WINDOWS\TEMP\O95WPP4XR. EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Tohe] C:\WINDOWS\Application Data\baet.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{ CE4F8FFB-4 063-4247-9 F14-ECE61A FEFA25}\Ne wShortcut1 .A6CC6977_ F7B4_4C0B_ 9510_BCD84 7D4BDB2.ex e
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .dr: C:\PROGRA~1\INTERN~1\PLUGI NS\npDRDW. dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi ns\NPDocBo x.dll
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugi ns\npmusic n.dll
O16 - DPF: {0FF3E97F-433D-11D2-B31A-0 0A0C9B135D B} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.3.5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0 008C7BF61F 2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A 37F5BC24EE 2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9 0FFA846DF7 E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://207.188.7.150/27cb69d3288dd6e3db04/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37889.3209490741
O16 - DPF: {597C45C2-2D39-11D5-8D53-0 050048383F E} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-5 87CAF3EE8C 6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6 0DB54C1000 0} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-2 8BB9EB2281 E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://download.yahoo.com/dl/mail/ac4sbc.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9 ADE19E19EC 3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {49232000-16E4-426C-A231-6 2846947304 B} (SysData Class) - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {33564D57-0000-0010-8000-0 0AA00389B7 1} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
Some porn appeared on Thursday night. I ran Spybot and cleaned out some stuff. PC stopped responding on Friday afternoon. I rebooted in safe mode on Sat night. I ran Norton and found nothing. I found this site and found dpi and pcsvc. I tried to delete them. I then ran trend housecall and it cleared up some other stuff. I ran cwshredder; it found 3 things and advised me to update Windows 98 with security patches from Microsoft, which I did. I rebooted, but I still have some issues.
1) Start button is not clickable.
2) A small window appears on bottom of screen.
I ran hijack this and found the following; please help.
C:\PROGRAM FILES\HP\HPCORETECH\COMP\H
C:\WINDOWS\SYSTEM\SPOOL32.
C:\PROGRAM FILES\HP\HPCORETECH\COMP\H
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.
C:\MY DOWNLOADS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
N1 - Netscape 4: user_pref("browser.startup
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-D
O2 - BHO: IE Agent - {00000000-0000-0000-0000-0
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-2
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\2PORTALMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPM
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [KRUXBOILV] C:\WINDOWS\KRUXBOILV.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRu
O4 - HKLM\..\Run: [O95WPP4XR.EXE] C:\WINDOWS\TEMP\O95WPP4XR.
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Tohe] C:\WINDOWS\Application Data\baet.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = c:\WINDOWS\Application Data\Microsoft\Installer\{
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: PopupPopper Control Panel (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .dr: C:\PROGRA~1\INTERN~1\PLUGI
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugi
O16 - DPF: {0FF3E97F-433D-11D2-B31A-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {597C45C2-2D39-11D5-8D53-0
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-5
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {D18F962A-3722-4B59-B08D-2
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9
O16 - DPF: {49232000-16E4-426C-A231-6
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, I rebooted after I published my question, as I had deleted a couple a couple things using hijack this. The start button is now clickable and the window on the bottom is gone.
But I followed your instructions and checked startup. I found baet.exe and bxxs5.dll (BookedSpace), which turns out to be adware and removed it from startup. (I used these instructions: http://www.kephyr.com/spywarescanner/library/bookedspace/index.phtml )
I ran sfc.exe but didn't find anything.
Thanks for your help; I didn't know about msconfig. I'll check everything in there to make sure it belongs.
But I followed your instructions and checked startup. I found baet.exe and bxxs5.dll (BookedSpace), which turns out to be adware and removed it from startup. (I used these instructions: http://www.kephyr.com/spywarescanner/library/bookedspace/index.phtml )
I ran sfc.exe but didn't find anything.
Thanks for your help; I didn't know about msconfig. I'll check everything in there to make sure it belongs.
Great ..post back if your issue is solved
ASKER
One other notable point that may prove useful to others: When I googled baet.exe, I didn't find anything on the internet. So I checked the properties of the file. It was downloaded the day that my problems began. It pointed to a company called PSD Tools, LLC. I found these instructions http://securityresponse.symantec.com/avcenter/venc/data/adware.buddylinks.html on Symantec's site, but I couldn't find the program on my PC. In any case, I removed baet.exe from my startup and deleted it from my PC.
Thanks for giving feedback..sure it would be useful for others
If you have windows key on your keyboard , press windows key + R to get the Run box ..
type "sfc.exe" and press "enter".. This is used to check for corrupt system files
After that if the problem doesnot get solved
Check for corrupt resgistry. In the run box, type scanreg /restore