Hi folks,

I'm getting slowness whenever I try to access most audio or video files, it just started about a week ago. Could you please take a look at the log below from HijackThis and let me know if anything looks suspicious, or could be killing performance? I'm on a Win98 OS, 500 MHz, 256 RAM, defragged, temp files cleaned. Thanks! --Chris

Logfile of HijackThis v1.97.7
Scan saved at 9:44:21 PM, on 12/15/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\MMAESTRO\BWHEEL35.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search05.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.50links.com/cd/index9b.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;sas.r2.attbi.com;<local>
O1 - Hosts: 66.40.16.234 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [FireTalk Internet Detector] C:\PROGRA~1\FIRETALK\InternetDetector.exe -noprompt
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.07.02&http://www.active-studio.com/i3d/avatars/fox/
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab

Here's relevant startup info in case you need it:


Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
FireTalk Internet Detector = C:\PROGRA~1\FIRETALK\InternetDetector.exe -noprompt
mdac_runonce = C:\WINDOWS\SYSTEM\runonce.exe
ELSAChipGuard = C:\WINDOWS\ELSAUTIL\elsavect.exe
LexmarkPrinTray = PrinTray.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
KeyMaestro = C:\KMAESTRO\KMaestro.exe
LWBMOUSE = C:\MMaestro\BWheel35.exe
SAUpdate = "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
SAClient = "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe"
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
winmodem = WINMODEM.101\wmexe.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[KeyMaestro]
FirstRun =

LastCDplay = "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"
RepeatFlag =
PowerEnable =
BTCplayEnable =

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/12/2003, 9:24:50)

[Rename]
NUL = C:\WINDOWS\downlo~1\ymsgrins.exe
[rename]
NUL = C:\PROGRA~1\VIEWPO~1\VIEWPO~1\DOWNLO~1\AXMETA~1\EXEC.EXE
NUL = C:\PROGRA~1\VIEWPO~1\VIEWPO~1\AXMETA~1.DLL

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL - {08351226-6472-43BD-8A40-D9221FF1C4CE}

Hi bizchris2002

I don't spot any virus infection there, however, it appears you have or have had some spyware/hijacker on there. The following entries you can fix with HJT. Go offline and close all browsers and windows. Scan with HiJack this and put an x next to these items, the press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search05.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.50links.com/cd/index9b.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net

O1 - Hosts: 66.40.16.234 auto.search.msn.com

This item you can fix if it was not installed intentionally or a program you are using:

Sidestep description
http://217.115.153.73/parasite/SideStep.html

If you would like to remove it you should first try in Add/Remove programs in your contol panel and afterwards run HiJackThis to *fix* any of the following if any remain:

O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL

O9 - Extra button: SideStep (HKLM)

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab

Reboot your PC after fixing with HJT and if you don't already have the following free Antispyware scanner please download, update and then scan with Spybot Search and Destroy.

Download Spybot Search and Destroy
http://www.safer-networking.org/

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all items in red (they will already be checked for you).

You have an awful lot of unnecessary programs running at startup. These can be found with recommendations on which ones are safe to disable at:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
http://www.sysinfo.org/startuplist.php

I'm not sure I may have caught everything that needed fixing, so please reboot your PC when you are done cleaning and post a new HiJackThis log in case someone else has any other ideas for you

Just for reference, here are some free online AV scanners you may want to bookmark, in case you suspect you might have a virus:

Panda's Active Scan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

You really should have a resident Antivirus Program in the least and there are several free or low cost AV's available.

AVG by Grisoft is has a free edition:

http://www.grisoft.com/us/us_dwnl_free.php

Thanks very much, CalamityJane. I did a ton to clean things up, but it still dies upon trying to open a .wav file. I'll post the updated HijackThis in the following post. In the meantime, these didn't show up in the two startup links you suggested:

Some of these paths don't even exist - for example, C:\Program Files\BroadJump and C:\Program Files\Comcast both don't exist. If I want them to not autostart when I boot up, how can I stop that in Win98? The site also suggests deleting some entries with "Starter", but I don't know what that is. Fill me in?

I think the kicker for what's causing my audio/video issues MIGHT be this one that's autostarting:
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe

Code:

"Driver for Logitech’s QuickCam Home cameras.  It allows the camera to be accessed by NetMeeting, Windows Movie Maker, and the QuickCam software. Recommendation : Leave alone if you use a Logitech QuickCam camera."

Since the QuickCam may have been what started this whole performance problem, I've since unplugged it and re-plugged in our HP printer/scanner via USB - but maybe this autostart is still making it so my audio/video files are tied into it somehow?

Also, is this something I need to worry about?

Code:

Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [KeyMaestro] FirstRun = LastCDplay = "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"

Cleaned up HijackThis and Startup, coming up - but so far I'm afraid audio/video will still hang, as I don't seem to have found the fix yet. More troubleshooting tips, please? Thanks -- Chris

Here's the new HijackThis log:

Hi Chris,

Sorry, I missed seeing your reply until now.

Actually, I'm more of knowledgeable of malware than a tweak expert and don't have any answers for you regarding your video/audio problems or the performance issues, but many in here are.

I use MSCONFIG in Start>run to uncheck the items I do not want starting up if I cannot find a way to do it in the program (like Quicktime), but the others may have some better ideas of things to try.

CalamityJane,

Well you certainly helped clean out the malware - many many thanks! And what a great experience my first of this website has been, too!

(and if anyone reading this knows how to fix my razzumfrazzum audio/video woes, please feel free to post )