Please help...ads, computer freezing, system lag. HijackThis/Aida info inside!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MinnieMcG, May 17, 2004.

  1. MinnieMcG

    MinnieMcG Private E-2

    Hello, MajorGeeks!

    If anyone has a spare moment, I'd really appreciate somebody taking a look at my HijackThis log/Aida info and seeing what, if any, problems I have. My computer's been even slower than usual lately, and it's been displaying web page errors/ads (and I have an ad blocker already, which makes me think these are spyware). I've run AdAware, Spybot S&D, Peper Removal and CWShredder, and though they've caught a lot of cookies and extraneous problems, I'm still getting the ads and the lag/errors.

    Here's my HijackThis log from today:

    [[BEGIN LOG]]

    Logfile of HijackThis v1.97.7
    Scan saved at 3:33:02 PM, on 5/17/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMP\1K1RM4T.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [freesurfer] C:\PROGRAM FILES\FREE SURFER\fs20.exe
    O4 - HKLM\..\Run: [PCBG] C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
    O4 - HKLM\..\Run: [1k1rm4t] C:\WINDOWS\TEMP\1K1RM4T.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min
    O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
    O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [[END LOG]]

    Also, here's my sysinfo, from the AIDA32 program I downloaded from the MajorGeeks website:

    [[BEGIN SYSINFO]]

    omputer:
    Operating System Microsoft Windows 98 SE
    OS Service Pack None
    Internet Explorer 6.0.2800.1106 (IE 6.0 SP1)
    Computer Name KOS_1 (WINDOWS 98 USER)
    User Name Windows 98 User
    Motherboard:
    CPU Type Intel Pentium II, 400 MHz (4 x 100)
    Motherboard Name Acer V66M
    Motherboard Chipset Intel 82440BX/ZX
    System Memory 64 MB (PC100 SDRAM)
    BIOS Type Acer (04/01/98)
    Communication Port Communications Port (COM1)
    Communication Port Communications Port (COM2)
    Communication Port Printer Port (LPT1)
    Display:
    Video Adapter RAGE PRO TURBO AGP 2X (English) (DirectX) (8 MB)
    3D Accelerator ATI 3D-Rage Pro
    Monitor CTX VL700, MS700, PL7 Series, 17-Group 69KHz/160Hz
    Multimedia:
    Audio Adapter ESS Technology ES1938/ES1941/ES1946 Solo-1(E) Sound Card
    Storage:
    Floppy Drive GENERIC NEC FLOPPY DISK
    Disk Drive GENERIC IDE DISK TYPE02
    Optical Drive ATAPI CD-ROM DRIVE-32X (32x CD-ROM)
    Optical Drive IDE-CD R/RW 4x4x24 (4x/4x/24x CD-RW)
    Partitions:
    C: (FAT32) 8197 MB (977 MB free)
    Input:
    Keyboard Standard 101/102-Key or Microsoft Natural Keyboard
    Mouse PS/2 Compatible Mouse Port
    Network:
    Primary IP Address 192.168.1.101
    Primary MAC Address 00-20-35-B1-4E-22
    Network Adapter AMD PCNET Family Ethernet Adapter (192.168.1.101)
    Peripherals:
    Printer HP LaserJet 4L
    USB Device Camera

    [[END SYSINFO]]

    I hope this is everything you need. Please let me know if there's any other information I can give you that would help make a diagnosis. Thank you for any help you can give me!

    Minnie
     
    MinnieMcG, May 17, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MG's Minnie,

    You should delete this file:

    C:\WINDOWS\TEMP\1K1RM4T.EXE

    Not sure what it is but nothing that is required for your system should be running from windows\temp. You may need to boot in safe mode to delete this file.

    Also, have HiJaak This fix the following:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O4 - HKLM\..\Run: [1k1rm4t] C:\WINDOWS\TEMP\1K1RM4T.EXE

    Not sure what the following line is for but it should be under suspicion:

    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
     
    chaslang, May 17, 2004
    #2
  3. alanc

    alanc MajorGeek

    Ya missed one there Chas, that TV Media crap has got to go...

    Minnie, fix these lines in HijackThis:
    R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
    O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
    O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE

    Then reboot to Safe Mode, set your Folder Options to Show hidden files, delete this folder:
    C:\TV MEDIA

    And delete all the files in C:\WINDOWS\TEMP
     
    alanc, May 17, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks for picking me up Alan! I must have had my speed reading glasses on! :eek:
     
    chaslang, May 17, 2004
    #4
  5. MinnieMcG

    MinnieMcG Private E-2

    I did everything you both advised, but I honestly can't tell you if they helped or not because of the...(dum dum dum)...

    MASSIVE SPYWARE EXPLOSION 2004. Coming to a computer near...me.

    I walked away from my computer with only the AdAware program and the MajorGeeks website open. After dinner, I came back, and all of a sudden I had a new toolbar (the USearch one?) and two new links on my desktop. I ran AdAware again, on a system that was just cleaned, and came up with 192 new ad problems, most of them files and folders! I have no idea what happened--nobody used my computer (at least, nobody will 'fess up to it). I cleaned with AdAware, deleted about 200 new things in Safe Mode that I knew were adware programs/files, and now I have this:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:46:53 PM, on 5/17/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\FREE SURFER\FS20.EXE
    C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\IEHOST.EXE
    C:\WINDOWS\SYSTEM\DP-HIM.EXE
    C:\WINDOWS\SYSTEM\FM2AP32.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\PROGRAM FILES\COMMON FILES\UPDMGR\UPDMGR.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\APPLICATION DATA\WMCO.EXE
    C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\ELQ0.EXE
    C:\WINDOWS\SYSTEM\DBHB2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [freesurfer] C:\PROGRAM FILES\FREE SURFER\fs20.exe
    O4 - HKLM\..\Run: [PCBG] C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [4RM#M7848F7#RJ] C:\WINDOWS\SYSTEM\LsxI52.exe
    O4 - HKLM\..\Run: [qE4S36P] FM2AP32.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min
    O4 - HKCU\..\Run: [Tds] C:\WINDOWS\Application Data\wmco.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\SYSTEM\wcpsu.exe
    O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    [[END LOG]]

    The Searchhook things keep returning even after I've fixed them, and some of the O4 files look really suspicious (I'm just an amateur speaking, though!) Any thoughts? It was literally like all the spyware in the world just exploded on my desktop. Absolutely bizarre. I'm wondering if I have a virus or something that is replicating this crap every time I delete.
     
    MinnieMcG, May 17, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wow! This gives new meaning to all hell breaking loose.

    Please close all open apps and IE, run HJT and put a checkmark next to the below lines, then click on "fix checked" :

    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [4RM#M7848F7#RJ] C:\WINDOWS\SYSTEM\LsxI52.exe
    O4 - HKLM\..\Run: [qE4S36P] FM2AP32.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

    Now reboot your computer into safe mode, and remove the following files and folders, if still present:

    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\SYSTEM\LsxI52.exe
    \FM2AP32.EXE
    c:\Program Files\AutoUpdate\AutoUpdate.exe

    In order to see all these files you should make sure you have enabled Windows explorer to Show hidden files and folders and also do not Hide known file extentions for known filetypes.

    You may want to give this program a run too, Trojan Remover 6.2.3: http://www.majorgeeks.com/download903.html
     
    chaslang, May 17, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Oops, I missed a few in my previous post. But before doing any of
    these first run CWShedder available here: http://www.majorgeeks.com/download4086.html
    The add the below 3 items to the previous post of things to remove with
    HiJaak This and to delete after rebooting to safe mode:

    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
     
    chaslang, May 17, 2004
    #7
  8. alanc

    alanc MajorGeek

    Minnie, you really need to be running a firewall and a good anti-virus, especially with AIM sitting there open.

    Check out these sections here:
    http://www.majorgeeks.com/downloads29.html (Anti-Virus)
    http://www.majorgeeks.com/downloads34.html (Firewall)

    ZoneAlarm is a good free firewall and Avast is a great free AV.
     
    alanc, May 18, 2004
    #8
  9. MinnieMcG

    MinnieMcG Private E-2

    Alanc and Chaslang,

    Thank you both for your EXCELLENT help. I've spent about an hour going through my system, and after some scanning, fixing, deleting and installing, everything finally looks clean. I went through all the steps you gave me, and I did a filesearch on every single extension on the list to find files hiding anywhere else (there were replicas in the All Users folder, plus some duplicates in the System and System32 folders). Avast and ZoneAlarm are now on my system and running well. There's no lag, no hijacking, no random ads--everything looks fantastic. I've put in one more HijaakThis log in case there's anything I've forgotten to delete. There are two more R3 objects that won't fix or delete, even though I've tried several times, but they don't seem to be affecting anything. Thank you again for everything!

    Minnie

    [[BEGIN LOG]]
    Logfile of HijackThis v1.97.7
    Scan saved at 6:43:24 PM, on 5/18/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\FREE SURFER\FS20.EXE
    C:\PROGRAM FILES\INTRIGUE LEARNING\PCBODYGUARD.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\SCANJET\PRECISIONSCAN\HPPPT.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
    O4 - HKLM\..\Run: [freesurfer] C:\PROGRAM FILES\FREE SURFER\fs20.exe
    O4 - HKLM\..\Run: [PCBG] C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min
    O4 - Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Check Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM
    O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
    O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
    O9 - Extra button: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    [[END LOG]]
     
    MinnieMcG, May 18, 2004
    #9
  10. alanc

    alanc MajorGeek

    Making good progress Minnie, good job! :)

    That's odd that those R3 lines won't allow you to fix them, see if you can in Safe Mode (tap F8 while booting).

    Regarding this:
    O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRAM FILES\INTERNET WASHER PRO\IW.exe min

    If Internet Washer Pro is something you installed knowingly and want to keep, then that's that's up to you, but it's considered spyware and a resource hog.

    If not, look for it in Control Panel >Add/Remove and uninstall it, then fix that line in HJT if it's still there.
     
    alanc, May 18, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I agree Alan! Minnie has made great progress here. I also agree with regards to Internet Washer. And yes for those difficult to remove R3 lines, try as Alan suggests to fix them with HiJaak This while running in Safe Mode.
     
    chaslang, May 18, 2004
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds