How to Open Pdf file in Internet Explorer?

Internet keeps disconnecting, password disappears and SVCHOS1AT file appears

• I am running on windows 98, using broadband with a Speedtouch modem and my connection to the Internet periodically disconnects. When I go to log back in, Speedtouch is no longer shown on the Dial up Connection box. So I go to desktop, open Speedtouch Connections and the password is not there. After entering the password it then sometimes connects and other times does not until I have reset my machine. If I do control/alt/delete a file/program called SVCHOS1AT sometimes appears at the bottom of the list after the system disconnects, also occasionally a pop-up box appears referring to this file/program, so it seems to me that my problem is to do with this file/program. I have tried following the instructions on ID number 538639 that sounds like a similar problem to mine. I have run HijackThis and the log is as follows but I do not know what to do next: Logfile of HijackThis v1.99.1 Scan saved at 19:22:22, on 21/08/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE C:\WINAMP.EXE C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\WINDOWS\COMM.EXE C:\PROGRAM FILES\TRUST\12522 AMI MOUSE 250S WIRELESS\1.0\LWBWHEEL.EXE C:\PROGRAM FILES\SPEEDTOUCH\DR SPEEDTOUCH\DRST.EXE C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE C:\OPLIMIT\OCRAWARE.EXE C:\OPLIMIT\OCRAWR32.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\COMM.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\DESKTOP\WINWORD.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\C189ABC1\HIJACKTHIS[1].EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadbandR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Internet R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL O2 - BHO: (no name) - {5A5B6916-ED71-4531-8018-E792DD44156E} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Timer] C:\WINDOWS\comm.exe /i O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Trust\12522 AMI MOUSE 250S WIRELESS\1.0\lwbwheel.exe O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE O4 - Startup: PowerReg Scheduler.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk311AXGBO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cabO16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cabO16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab Hope you can help Regards Alan Bridle

• Answer:

  alan... As for SVCHOS1AT, do the following: Run HiJackThis (HJT) and click 'Open the Misc Tools Section', then click 'Open Process manager'. Next, locate and click on: C:\WINDOWS\svchos1at.exe Make sure that only that item is highlighted, then click 'Kill process'. Then click "Refresh", check again, and repeat this step if it remains. If it won't delete, see the instructions later on how to use HJT to delete it on reboot. Next, close HJT and read the following. There's a step to take before using it to delete the nasty entries: The following entries should be removed, subject to your own judgment with regards to my comments (some of the files appear in odd locations, and you should check to see if there are duplicates in the locations I suggest): Running Processes: C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE The first of many MyWebSearch entries. You should try to uninstall this program first, which may do a better job of removal than checking the entries in Hijack This. See this page about removing the program, then re-run HJT to remove the rest of the following entries: http://www.mac-net.com/445088.page C:\WINAMP.EXE Should normally be located in C:\program files\winamp\ The odd location plus a startup call later on make this suspicious. C:\WINDOWS\SYSTEM\QTTASK.EXE is normally located in c:\program files\quicktime\ If you have a duplicate there, you should remove this one, as well as the startup call for it later. C:\WINDOWS\COMM.EXE Trojan - see this page on bleepingcomputer.com: http://www.bleepingcomputer.com/startups/comm.exe-10822.html C:\WINDOWS\DESKTOP\WINWORD.EXE Odd location, but not called for on startup, so maybe safe. Normally in C:\Program Files\Microsoft Office\Office\winword.exe Registry entries: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/ Do you know and trust this website? If not, check and remove. Otherwise, could be safe. R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL Should be removed along with everything in: C:\PROGRAM FILES\MYWEBSEARCH\ Use uninstall, as given above, then check this entry if it remains afterward. O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL O2 - BHO: (no name) - {5A5B6916-ED71-4531-8018-E792DD44156E} - (no file) All related to MyWebSearch - as above. O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE As noted above - suspicious location, and suspicious to have this in Windows startup. O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime As noted above - suspicious location, but possibly safe. This file may have a different location in Windows 98. It's not a necessary startup entry anyway. O4 - HKLM\..\Run: [Timer] C:\WINDOWS\comm.exe /i As noted above - trojan If you have trouble deleting this file using HJT or Windows Explorer, use HJT to remove it on reboot: Run HiJackThis (HJT) and click 'Open the Misc Tools Section', then click 'Delete a file on reboot...'. It may help to have hidden files and folders displayed when you navigate to find this file. To do this: - Open My Computer. - Select the View menu and click Folder Options. - Select the View Tab. - In the Hidden files section select Show all files. - Click OK. O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE More MyWebSearch. O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk311AXGB Ditto. O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab Junk. Make sure you have all other programs closed when you run HJT to delete the entries above. Use HJT to select any files you were unable to uninstall or remove manually, and mark them for 'delete on reboot'. Reboot and, again, making sure all other programs are closed, run HJT again and post another log here for a checkup. Please do not rate this answer until you are satisfied that the answer cannot be improved upon by way of a dialog established through the "Request for Clarification" process. A user's guide on this topic is on skermit-ga's site, here: http://www.christopherwu.net/google_answers/answer_guide.html#how_clarify sublime1-ga Additional information may be found from an exploration of the links resulting from the Google searches outlined below. Searches done, via Google: comm.exe ://www.google.com/search?q=comm.exe mywebsearch ://www.google.com/search?q=mywebsearch SVCHOS1AT ://www.google.com/search?q=SVCHOS1AT