Google Answers Logo
View Question
 
Q: Internet keeps disconnecting, password disappears and SVCHOS1AT file appears ( Answered 5 out of 5 stars,   0 Comments )
Question  
Subject: Internet keeps disconnecting, password disappears and SVCHOS1AT file appears
Category: Computers > Internet
Asked by: 1arsenalfc-ga
List Price: $10.00
Posted: 21 Aug 2005 12:55 PDT
Expires: 20 Sep 2005 12:55 PDT
Question ID: 558423
I am running on windows 98, using broadband with a Speedtouch modem
and my connection to the Internet periodically disconnects. When I go
to log back in, Speedtouch is no longer shown on the Dial up
Connection box. So I go to desktop, open Speedtouch Connections and
the password is not there. After entering the password it then
sometimes connects and other times does not until I have reset my
machine. If I do control/alt/delete a file/program called SVCHOS1AT
sometimes appears at the bottom of the list after the system
disconnects, also occasionally a pop-up box appears referring to this
file/program, so it seems to me that my problem is to do with this
file/program. I have tried following the instructions on ID number
538639 that sounds like a similar problem to mine. I have run
HijackThis and the log is as follows but I do not know what to do
next:

Logfile of HijackThis v1.99.1
Scan saved at 19:22:22, on 21/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINAMP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\COMM.EXE
C:\PROGRAM FILES\TRUST\12522 AMI MOUSE 250S WIRELESS\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\COMM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\C189ABC1\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by BT Internet
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D}
- C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} -
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: (no name) - {5A5B6916-ED71-4531-8018-E792DD44156E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\comm.exe /i
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\12522 AMI MOUSE
250S WIRELESS\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program
Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program
Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZNxmk311AXGB
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab

Hope you can help

Regards

Alan Bridle
Answer  
Subject: Re: Internet keeps disconnecting, password disappears and SVCHOS1AT file appears
Answered By: sublime1-ga on 21 Aug 2005 16:15 PDT
Rated:5 out of 5 stars
 
alan...

As for SVCHOS1AT, do the following:

Run HiJackThis (HJT) and click 'Open the Misc Tools Section',
then click 'Open Process manager'.

Next, locate and click on:

C:\WINDOWS\svchos1at.exe

Make sure that only that item is highlighted, then click
'Kill process'. Then click "Refresh", check again, and 
repeat this step if it remains. If it won't delete, see
the instructions later on how to use HJT to delete it on
reboot.

Next, close HJT and read the following. There's a step
to take before using it to delete the nasty entries:

The following entries should be removed, subject to your
own judgment with regards to my comments (some of the 
files appear in odd locations, and you should check to
see if there are duplicates in the locations I suggest):


Running Processes:


C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
The first of many MyWebSearch entries. You should
try to uninstall this program first, which may do
a better job of removal than checking the entries
in Hijack This. See this page about removing the 
program, then re-run HJT to remove the rest of the
following entries:
http://www.mac-net.com/445088.page


C:\WINAMP.EXE
Should normally be located in C:\program files\winamp\
The odd location plus a startup call later on make this
suspicious.


C:\WINDOWS\SYSTEM\QTTASK.EXE is normally located in 
c:\program files\quicktime\
If you have a duplicate there, you should remove this one,
as well as the startup call for it later.


C:\WINDOWS\COMM.EXE
Trojan - see this page on bleepingcomputer.com:
http://www.bleepingcomputer.com/startups/comm.exe-10822.html


C:\WINDOWS\DESKTOP\WINWORD.EXE
Odd location, but not called for on startup, so maybe safe.
Normally in C:\Program Files\Microsoft Office\Office\winword.exe



Registry entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://searchbar.findthewebsiteyouneed.com/
Do you know and trust this website? If not, check and remove.
Otherwise, could be safe.


R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D}
- C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
Should be removed along with everything in:
C:\PROGRAM FILES\MYWEBSEARCH\
Use uninstall, as given above, then check this entry if it 
remains afterward.


O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} -
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM
FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: (no name) - {5A5B6916-ED71-4531-8018-E792DD44156E} - 
(no file)
All related to MyWebSearch - as above.


O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
As noted above - suspicious location, and suspicious to have 
this in Windows startup.


O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
 -atboottime
As noted above - suspicious location, but possibly safe. This
file may have a different location in Windows 98. It's not a
necessary startup entry anyway.


O4 - HKLM\..\Run: [Timer] C:\WINDOWS\comm.exe /i
As noted above - trojan
If you have trouble deleting this file using HJT or Windows
Explorer, use HJT to remove it on reboot:

Run HiJackThis (HJT) and click 'Open the Misc Tools Section',
then click 'Delete a file on reboot...'. It may help to have
hidden files and folders displayed when you navigate to find
this file. To do this:

- Open My Computer.
- Select the View menu and click Folder Options.
- Select the View Tab.
- In the Hidden files section select Show all files.
- Click OK.


O4 - HKCU\..\Run: [MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
More MyWebSearch.


O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZNxmk311AXGB
Ditto.


O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
Junk.


Make sure you have all other programs closed when you run
HJT to delete the entries above.

Use HJT to select any files you were unable to uninstall or
remove manually, and mark them for 'delete on reboot'.

Reboot and, again, making sure all other programs are closed,
run HJT again and post another log here for a checkup.


Please do not rate this answer until you are satisfied that  
the answer cannot be improved upon by way of a dialog  
established through the "Request for Clarification" process. 
 
A user's guide on this topic is on skermit-ga's site, here: 
http://www.christopherwu.net/google_answers/answer_guide.html#how_clarify 
 
sublime1-ga


Additional information may be found from an exploration of
the links resulting from the Google searches outlined below.

Searches done, via Google:

comm.exe
://www.google.com/search?q=comm.exe

mywebsearch
://www.google.com/search?q=mywebsearch

SVCHOS1AT
://www.google.com/search?q=SVCHOS1AT

Request for Answer Clarification by 1arsenalfc-ga on 23 Aug 2005 11:03 PDT
Brilliant, I've done everything you suggested and it's no longer
disconnecting, very many thanks. You mentioned a couple of files in
the wrong location (winamp and qttask), I've checked for duplicates
and there are none, these files only exist in these places - should I
do anything or leave them where they are.

One thing is that the opening of emails within Outlook 2000 has
suddenly gone very, very slow, 27 seconds to open an email
irrespective of the size, sending and receiving emails does not seem
to be affected - could this be associated with what I've done or is
this likely to be something copmpletely unrelated? What should I do?

Many thanks again for your help, the updated log, as requested, is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 18:58:37, on 23/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINAMP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\TRUST\12522 AMI MOUSE 250S WIRELESS\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AX0FEDA5\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by BT Internet
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\12522 AMI MOUSE
250S WIRELESS\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
SpeedTouch\drst.exe" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program
Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab

Clarification of Answer by sublime1-ga on 23 Aug 2005 14:19 PDT
alan...

I'm glad to hear of your progress, but there's still some
work to do.

As for qttask and winamp, I would say qttask is likely safe,
as the way the entry is written looks legitimate. Winamp is
questionable. Only you can say if you downloaded and installed
this popular media player, and set it up to run when Windows
starts.

Winamp's home page is here:
http://www.winamp.com/

If this media player is familiar to you, and you set it up 
start with Windows, and it does, that's fine, but if the
program is unfamiliar, and you don't have a media player
set up to load with Windows, I would get rid of it. The 
location of this file should NOT be the Windows directory
if it was installed normally.

Another way to check the WINAMP executable is to right-click
on it and select Properties. If it's a true Windows executable
program, the window should show a Version tab with the company
as Nullsoft.

Of course, if it's a virus-related file, you could also check
it with a virus scan. I don't believe you've mentioned using
one so far, though your HJT log indicates you've used the 
Trend Micro scanner, but here are some recommendations:

Free online & downloadable virus scans:

AntiVir:
http://www.free-av.com/

BitDefender:
http://www.bitdefender.com/scan/licence.php

Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx

Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp

Trend Micro and AntiVir are known to pick up on things which
are sometimes missed by others. I use AntiVir, which is 
especially useful in flagging and preventing attempted hidden
downloads of viruses and other malware from malicious sites.
AntiVir needs to be downloaded. Trend Micro works online.


The WINAMP file is especially suspicious because you have a 
second malicious file loading which sometimes poses as 
WinAmpAgent (though, in this case it's posing as SvcH0st:
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i

See IamNotaGeek about the trojan associated with this file:
http://startup.iamnotageek.com/srch-shch.exe.html

More on the Troj/Bdoor-EB virus on this Sophos page:
http://www.sophos.com/virusinfo/analyses/trojbdooreb.html

Use HJT to stop this process and remove it on reboot.


The WINAMP file is all the more suspicious because of the
registry entry which calls for it:
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE

Note the name JVM0.14 instead of WinAmp, and see this page
on IamNotaGeek:
http://startup.iamnotageek.com/srch-JVM0.14.html


Finally, the following two entries look to be harmless, but
unnecessary, and can be checked for removal:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


It's possible that Outlook will function more normally
when you get these fixes applied, but Outlook is its
own can of worms, so then again, it may not.

Let me know...

sublime1-ga

Request for Answer Clarification by 1arsenalfc-ga on 24 Aug 2005 09:42 PDT
I have deleted winamp and qttask since I don't ever use a media player
and I don't know how these files got onto my computer, perhaps I
downloaded these without realising.

I attach another log, I think this has now resolved my problem apart
from Outlook still being very slow opening emails but as you say this
is another can of worms.

Thank you very much for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 17:39:13, on 24/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\TRUST\12522 AMI MOUSE 250S WIRELESS\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\AX0FEDA5\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by BT Internet
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\12522 AMI MOUSE
250S WIRELESS\1.0\lwbwheel.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr
SpeedTouch\drst.exe" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program
Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) -
http://www5.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)
- http://housecall60.trendmicro.com/housecall/xscan60.cab

Clarification of Answer by sublime1-ga on 24 Aug 2005 11:00 PDT
alan...

You look good to go! And you've said your connection is back
to normal and steady, so it seems your problems are over, with
the exception of Outlook, which seems unrelated. As far as I
can see, you're clean as a whistle.

sublime1-ga
1arsenalfc-ga rated this answer:5 out of 5 stars
Excellent, first class service

Comments  
There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy