Possible BIOS virus

joeclem111 · Mon May 16, 2005 6:17 am

Hi, I am a computer consultant but with no experience of what is in the BIOS (program wise). I have a PC which is infected. No anti-virus software can detect it. No malware or hijack software can detect it. The motherboard is an ASROCK with the K7S41_1.20 BIOS on it. The BIOS memory is 2MB, but the bios file is obviously a lot less, so there is plenty of room for a virus to hide. I have good reason to believe that this infection flashes it'self into the BIOS, from where it is always in memory and also not detectable (nothing looks there for virus infections). Does anyone have any experience of this? I have all the flash upgrade files for my BIOS, so is there a way I can clean the BIOS and then re-flash the BIOS content back in to a clean memory? Is there a program where I can fill the BIOS with zeros and then replace the proper contents? Any advice would be appreciated. Thanks.

Mon May 16, 2005 11:39 am

A small error: Flashrom is 2MBit = 256KByte or 1MBit = 128KByte in size. It perfectly matches the Bios file size.

Please explain why you think your PC is infected and what'S the infection ?

joeclem111 · Mon May 16, 2005 12:38 pm

I am running a 2.8Ghz, 512Mb, 60G self built PC running WIN98. I have built and sold over 2000 over the years 1994-2002. Last year I got a warning that something was trying to write to my boot sector. My AVG didn't see it. I did the Trend online scan, nothing. I prepared a floppy clean disk and allowed the write. I immediately shut down and rebooted on the floppy and cleaned the boot strap. After that I was beset with all kinds of problems. The bug behaved like the old original JS_PLAY virus. It would turn the screen off. In the middle of an e-mail my typing became invisible. It would run processing loops to slow the system down. It eats up memory. I use RAMidle pro and even when showing 300Mb free RAM, I can try to use a program and I get the error "insufficient memory to run this program. Try shutting down another program". I built this PC last September and it ran perfectly. This April I reintroduced some master documents from a back up CD taken from the old PC (I know I shouldn't have). The problems started all over again. NOTHING can find the bug, all scans are clear. It seems to be very stealthy. If using regedit, on a search, it will give a critical error blue screen and stop the search. I used a-squared as a background check. The bug disabled it by renaming the exe and dll files to .exe.tmp etc. This is some bug. Any clues? I thought it might be in the BIOS because I built a spare disc on this PC. The job wasn't easy as all manner of things went wrong, suggestive of the infection still being there. This is me laying MY software which I have done many times before without trouble. Before I built the disc I low level re-formatted it so it had to be clean. I have done a lot of security work since 2001 and have now retired early. I do know my way round but this bug has got be BUGGED. Thanks for your interest in my probs.

Mon May 16, 2005 1:11 pm

Looks more like Hardware/Software error especially if using 512 or more MB of RAM with Win98/Win98SE.
If still using Win98/Win98SE open system.ini with text editor and search the [VCACHE] section.
Enter new line containg:
MaxFileCache=512000
That cures the 512MB Bug

If still buggy try another antivirus prog and use a background scanner. Use Spybot S&D and Ad-Aware SE to check for Spyware stuff.
Use memtest86 or similar programs to check memory.

joeclem111 · Mon May 16, 2005 3:08 pm

Thanks for the VCACHE, thats one I didn't know. Already use ad-aware. Spybot wouldn't run on the infected system. Will look for the memtest prog and try it. Will get back with the results, probably tomorrow. Thanks again.

joeclem111 · Mon May 16, 2005 5:09 pm

Hello again, memtest86 = 100% pass.

Mon May 16, 2005 5:37 pm

Boot up into Safe-Mode and Spybot should be able to run

joeclem111 · Tue May 17, 2005 5:10 am

Ran spybot, it found a couple of things and killed them. System on that disc is still bad. It won't load Zone Alarm, I get "NOT VERIFIED" messages on some of the components. Re-installed and it is still the same. The bug has also interfered with the update mechanism on my AVG anti virus and the incredimail package just sprints through the e-mail accounts without connecting. This bug has interfered with e-mail before. Also, on boot up, it tells me I have bad sectors on the drive and goes into scandisc, the extended version. Getting well fed up with this. I am using a spare hard drive to keep in contact.
Is there a program that I can download that would take a record of ALL processes as they load at boot up? It would be best if it gave the path to the file as well. This would show me anything that boots that is not shown by hijackthis etc.

Tue May 17, 2005 11:33 pm

Is it possible to post a Hijack-This Logfile using a standard boot on your infected machine ?

Have you tried to disable system restore to prevent this from recreating deleted but archived stuff ?

joeclem111 · Wed May 18, 2005 12:22 pm

Hi, her is the hijackthis log you wanted:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:28, on 18/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCTRL32.EXE
C:\PROGRAM FILES\FAXTALK NETONHOLD\FTNOHMGR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\RAM IDLE\RAM_98.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RTEGPRS.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5 PROFESSIONAL\POPUPSTOPPER.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOSTR05.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\SOFTISSIMO\COLLINS INTERNET-LINKED DICTIONARY\EXE\L-EXPRESS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SOFTISSIMO\COLLINS INTERNET-LINKED DICTIONARY\EXE\LEXIBASE.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOVDX05.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\A2\A2UPD.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_98.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RTEGPRS] "C:\WINDOWS\RTEGPRS.EXE" tray
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE 4
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5 PROFESSIONAL\POPUPSTOPPER.EXE"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series 9x\Bin\HPOstr05.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe

All processes are known to me and expected. I did run a prog called noadware that tried to suggest I had a bug called backdoor.gwg and it would only fix it if I bought the software. On investigation it was reporting the scanregw process as the bug. Scanregw is a Microsoft program. Let me know what you think. As regards system restore, run through the proceedure please and I will do it. Thanks

Wed May 18, 2005 4:30 pm

Sorry - I forgot Win98 has no system restore.

Some things to suggest:
Clear IE caches and try to use Firefox/Mozilla - maybe IE is/was infected with some stuff.
Remove Ramidle - it usually helps null/nada/zero freeing up RAM
To speed-up Win98 edit system.in again and add line in [386Enh]:
ConservativeSwapfileUsage=1
This will force Win98 to use system RAM first instead uf using the Swap file from start. Set Swapfile to fixed 512MB by setting min/max to 512MB

Are you sure there's not a hardware problem of any kind involved ?
Such as too high CPU/HDD temp or PSU voltages out of line ?

Did the HJT-Log stop at O4 section ?
-> Usually there's a little more behind O4

joeclem111 · Wed May 18, 2005 9:47 pm

I am certain there is no hardware probs (I built this system and have hardware experience from 8086 through 286, IBM micro channel architecture, 386, 486 etc. etc.). hjt did stop at 04. I would be a bit scared to be without ramidle as I have seen some weird things happening regards memory usage (on boot up I have only 120Mb left and use ramidle to free up 112Mb). I think we are dealing with a dose of about:blank infection here. I have just been cleaning up in safemode. On re-boot and running hjt, I have 2 more entrys for "local page =" which is a reference to blank.htm (the file is NOT on my system). I cleared all the files in system backup so no restores could take place. Something on this system is loading "blank" references into the registry on boot up. I did use regedit in safe mode to clean all blank references except the ones that relate to CD writing. If I try to use regedit in normal windows mode, the infection gives me a critical error blue screen and will not allow a registry search. Slowly but surely it is getting narrowed down. My mind is certain that it is a malware infection AND that it is an about:blank problem. What say you?

joeclem111 · Wed May 18, 2005 9:59 pm

Ha! just did a search of the registry in full windows mode. searched for "local page" and got no result BUT the search ran to the end without failing. Here is the hjt log. NOTE the RO entries. The first one for main page, Tiscali is correct. The other main page and the 2 local pages where there is no entry (it is BLANK) is where I think the problem is. I just need to identify what program is doing this. Also, whilst in safe mode I did a virus scan. It found nothing BUT it reported that shell32.dll had changed. I am also getting Zone Alarm disabled. Every time I re-install it, on the next boot I get various of the zonelabs master programs fail to verify. Any ideas?

Logfile of HijackThis v1.99.1
Scan saved at 20:51:56, on 18/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FTCTRL32.EXE
C:\PROGRAM FILES\FAXTALK NETONHOLD\FTNOHMGR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\RAM IDLE\RAM_98.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RTEGPRS.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5 PROFESSIONAL\POPUPSTOPPER.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOSTR05.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\PROGRAM FILES\FAXTALK COMMUNICATOR\FAPIEXE.EXE
C:\PROGRAM FILES\SOFTISSIMO\COLLINS INTERNET-LINKED DICTIONARY\EXE\L-EXPRESS.EXE
C:\PROGRAM FILES\SOFTISSIMO\COLLINS INTERNET-LINKED DICTIONARY\EXE\LEXIBASE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET T SERIES 9X\BIN\HPOVDX05.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\HPOHID05.EXE
C:\PROGRAM FILES\A2\A2UPD.EXE
C:\PROGRAM FILES\INCREDIMAIL\BIN\INCMAIL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [NetOnHold] C:\Program Files\FaxTalk NetOnHold\Ftnohmgr.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_98.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RTEGPRS] "C:\WINDOWS\RTEGPRS.EXE" tray
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\PROGRAM FILES\3B SOFTWARE\WINDOWS REGISTRY REPAIR PRO\REGISTRYREPAIRPRO.EXE 4
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 5 PROFESSIONAL\POPUPSTOPPER.EXE"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series 9x\Bin\HPOstr05.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Startup: Lexibase Express.lnk = C:\Program Files\Softissimo\Collins Internet-Linked Dictionary\exe\L-Express.exe

joeclem111 · Wed May 18, 2005 10:08 pm

Just tried to fix those 3 entries with hijackthis. I have spybot teatimer running in background. Fix for the first entry generated a spybot warning "New data = blank.htm, and I refused the change, Second fix generated the same. Third fix generated spybot warning "New data = about:blank" THAT is confirmation that we are dealing with the about:blank infection. Finally serious progress. Just need to find the file now.

Thu May 19, 2005 12:49 am

Tweak the VCACHE setting again and set it to 128000 (Bytes) and you'll see lots of available free memory. At Default Win9x uses lots of free memory within Vcache (HDD cache) but acts dynamically and releases RAM if needed.

The About:blank or blank.htm is the default IE start page (but it's possible to hijack this startpage redirecting it to something else). Fixing R0 entries with HJT reinstalls the default IE startpages, see HJT help