Do I need to be concerned about:

portS.EXE

internal.EXE

?DD

It they are in c:\windows, then yes then they are likely to be trojans

Go to this page, and download 'Hijack This!'.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy so it can't be used

Launch Hijack This, then press Scan, and press Save Log

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

open that file
Go to Edit | Select all
Now click Edit | copy to copy it

Do not change anything just yet
Come back to the forum, Right Click and paste its contents here

quote:

---

Originally posted by putasolutions:
It they are in c:\windows, then yes then they are likely to be trojans

Go to http://www.spychecker.com/program/hijackthis.html, and download 'Hijack This!'.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary. Please delete the old copy so it can't be used

Launch Hijack This, then press _Scan_, and press _Save Log_

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

open that file
Go to _Edit | Select all_
Now click _Edit | copy_ to copy it

Do not change anything just yet
Come back to the forum, Right Click and _paste_ its contents here

---

Logfile of HijackThis v1.97.7
Scan saved at 07:07:31 a.m., on 4/06/2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\DR SOLOMON'S\ANTI-VIRUS TOOLKIT\WGFE95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\BABYLON TRANSLATOR\BABYLON.EXE
C:\PROGRAM FILES\DR SOLOMON'S\ANTI-VIRUS TOOLKIT\TK_SCHEN.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.guate.net.gt:8080
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Archivos de programa\WebSvr\Sistema\svctrl /init
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinGuard] C:\Program Files\Dr Solomon's\Anti-Virus Toolkit\wgfe95.exe
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Archivos de programa\WebSvr\Sistema\inetsw95.exe -w3svc
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKCU\..\Run: [Babylon Translator] C:\PROGRAM FILES\BABYLON TRANSLATOR\BABYLON.EXE
O4 - Startup: Dr Solomon's Scheduler.lnk = C:\Program Files\Dr Solomon's\Anti-Virus Toolkit\tk_schen.exe
O4 - Startup: Luther.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1065991281440
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = guate.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = guate.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.12.63.2,200.12.63.10


I had unchecked portS from this list several days ago and I forgot to recheck it before running HJT. That is why it does not appear on the list. It is listed this way:

portS C:\WINDOWS\SYSTEM\portS.exe

I have been dealing with a problem that includes: modulice (modF) (popup); pup.exe; over.exe; totempole; werule; www.achtungachtung.com; x.EXE; y.EXE; suchost; suchostp; and who knows what other modifications that I haven't found yet. I have learned things about my computer that I didn't even know existed a week ago. I am getting a little psychotic about anything that looks the least bit strange and I am worried that I will get carried away and delete something from the Registry that I shouldn't.

DD

I understand your concern

Click on Start | Settings | Control Panel

Open Add/Remove Programs

Select Twain-tech and click on Add/Remove

In the absence of an entry in ADD/REMOVE PROGRAMS, use the following steps to unregister and delete the program.


To permanently disable the software click Start | Run and type the following command which unregisters the software:

regsvr32 c:\windows\twaintec.dll

To completely remove the software: reboot and then Find and Delete the file mxtarget.dll.

Now close all windows, restart Hijack this and put a check mark against the following


O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

And click fix checked

Internat.exe loads the different input locales , and is a legitimate file

To permanently disable the software click Start | Run and type the following command which unregisters the software:

regsvr32 c:\windows\twaintec.dll ACCOMPLISHED

To completely remove the software: reboot and then Find and Delete the file mxtarget.dll.
Could not find mxtarget.dll anyplace. The closest and most suspect item is the following in Temporary Internet Files.

http://promos.hotbar.com/promos/promodll.dll?GetPromo&El=hotbar%5felement%3bst%3b&SG=&RAND=41620&partner=fastutility&/p.gif

Properties for this item is as follows:
Type: Gif Image
Location: C:\WINDOWS\Temporary Internet Files\NPJ50MUL
Size: 1.05KB
MS-DOS name: PROMOD 1.GIF
Created: Thursday, June 3, 2004 07:39:40 p.m.
Modified: Thursday, June 3, 2004 07:39:42 p.m.
Archive

DD

It's not always there, so don't worry about not finding it

Thank you. Hopefully all is taken care of now.
DD

To piggyback on this thread I just got around to d/l HJT. Have a 9K file (in the folder as instructed). Problem is it will not open but tries to run the progam again. Any ideas what gives on this?

I should add that I could not copy the list to paste here for help. Just kept getting this box asking if I wanted to run the dang thing.

98SE and IE6 Thanks.

Ok, You've unzipped it?

To it's own folder?

Hijack this is about 156kb, so I suggest that you re-download it

I since read where it used to be a zip file and now self installs. I got the self install that is 156k. The 9K file I refered to is a log file list similar to what others are posting. It does not allow me to copy that list to post here instead bringing up a box asking if I want to open or save. Nothing brings the list back up though in a text format to copy.

Choose the Open option and it may ask you which program you wish to use to open it, choose Notepad

When Notepad opens, click Edit | Select All
Then click Edit | Copy

Paste the contents to a new thread, this prevents confusion to yourself and anyone else who has posted a Hijack this log

I know you love HJT put but it doesn't like me. I have downloaded the program several times now using both zipped and non zipped sources.

Get the 157k file, it runs, get the list like what others have been posting. TRYING to open the log file always brings up the box asking if I want to open or save. Clicking either open or save simply brings up the same open or save box again. Can't copy the list directly from the run since there is no edit function on there.

I did scan the downloads with Norton also so they are clean. Is there a list of results that is always safe to delete? Anyhow thanks again but I give up on it.