Continued probs with WindowsXP

I've been in this forum before with similar problems with my Windows98 system, and through the guidance of many, and a step-by-step thread, I've since been able to have a computer that runs brilliantly now. However, my fiance's computer isn't having the same fortune. I've downloaded and used all the tools necessary to rid the system of viruses, trojans, spyware, etc... and although the system is running a little better now, its definitely nowhere NEAR optimal. She was given this computer by her father, who told her to immediately install anti-virus protection... 8 months later, hadn't been done yet. Needless to say... ready.... over FOUR HUNDRED trojans found, and almost as much spyware. With that in mind, I scanned the system with HJThis and found many unrecognizable entries. I viewed the lists described in the HJThis tutorial, but almost nothing in my scan was listed in either of them. She does have PeoplePC as her IP which might explain a little. Bottom line, I need to post the HJThis log here in a BIG way and will await approval to do so.

WindowsXP Version 2002
COMPAQ
AMD-K6 3D Processor
533 MHz
120 MB ram

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for the info... I'll have to re-scan with HJThis and post the log tomorrow late afternoon. Looking forward to resolving this computer train wreck. The darn thing had more trojans in it than the USC stadium...

 

LOL!

Will be awaiting results!

 

Here's the scan log in all its glory...

Please keep in mind a couple things; First, nobody validated ANY of the Trusted Zones in the scan... if its safe to remove them, lets do so. Secondly, I tried a few days ago to delete or "fix" the AdstatServ.exe program (acknowledged in the reference list as adware), but wouldn't delete... not sure if HJThis fixed it or not.

 

Your Operating System and Internet Explorer versions are WAY out of date and represent a major security risk. After we fix your current problems, you must get updated. You need to install Service Pack 2 for security purposes.


Please look in Add or Remove Programs for the following and Uninstall them if found:

AdStatus Service

Now please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir2.dll?s=consum ericon&c=2C01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: Class - {2B86B621-D1DC-1979-E5BC-338CC5E8A0CD} - C:\WINDOWS\atlkc.dll
O2 - BHO: Class - {381BBFBF-75F7-FA50-1A44-BAA75ADBF02A} - C:\WINDOWS\system32\sysjn.dll
O2 - BHO: Class - {551461B1-5C38-24A7-3B81-7F0347BA8044} - C:\WINDOWS\d3ao32.dll
O2 - BHO: Class - {5E5BCC20-3714-13E6-A800-5A0B8A51992C} - C:\WINDOWS\system32\javaxe32.dll (file missing)
O2 - BHO: Class - {D1F99B4F-B224-52EE-A763-382898300C69} - C:\WINDOWS\system32\winyo.dll (file missing)
O2 - BHO: Class - {F6BF5152-744A-9568-35D0-475B9C0FE7CF} - C:\WINDOWS\crdi32.dll (file missing)
O2 - BHO: Class - {FABE0E4B-31BD-F3E9-72B8-A4A70532BF43} - C:\WINDOWS\system32\iesm32.dll

O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\AdStatus Service ←–– Delete this whole folder if it exist!

C:\WINDOWS\WEB\related.htm

C:\WINDOWS\atlkc.dll

C:\WINDOWS\d3ao32.dll

C:\WINDOWS\System\blank.htm

C:\WINDOWS\System32\sysjn.dll

C:\WINDOWS\System32\iesm32.dll

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Thanks for analyzing the scan... I'll get over there and get to work on it tomorrow (Friday) as soon as possible and post the new HJT scan as well.

 

You must do my fixes in a timely manner or else this will be difficult to remove.

 

Alright... I'm going to try from this point on to post on her computer to eliminate the transfering of files from one computer to another.

As for the HJlog, this is the log after the fixes you recommended. As you'll notice, a few TRUSTED sites still remain. I tried to fix this a second time, but to no avail. I also scanned as suggested in Safe Mode with SpyBot and Adware and SB found Admilli, which I deleted/fixed. I'm also going to mention that in the StartUp list, there were several questionable entries. A few examples were WinLogon (9 total) with command lines such as "crypt322.dll", "WINotify.dll", and "wlnotify.dll" to name a few. I have them unchecked, but they remain questionable.

Also, the People PC Online homepage continues to show "The page cannot be displayed" when I log in, prompting me to click on the Internet Explorer icon in desktop to actually sign in.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file iefix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the iefix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


After you complete the above, you MUST surf in to Windows Updates and get updated. You need to install Service Pack 2 for all the latest security updates and patches. Without this critical update you will continue to have problems.

Once you have installed SP2 reboot and attach a fresh HJT log.

 

Well done! The remaining 2 or 3 TRUSTED ZONE entries have been successfully obliterated, as this latest log will show. The system still lags quite a bit, but I think its due in large part to a number of programs that I can get rid of to free up disk space... BUT, fatal exemptions and things of that nature are virtually gone now. I'm still having a hard time figuring out why the PeoplePC home page shows "the page cannot be displayed" when I try to log in via the PPC icon in desktop, however. I'd contact their customer support, but they "conveniently" charge per minute (no doubt to compensate for their low per-month provider rate). Any suggestions would help greatly.

Also, I downloaded the SP2 and am now currently up-to-date. Can't thank you enough for all you've done thus far... very much appreciated.

 

Your HJT log is clean, are you having any further issues?

 

Thanks for your help! Again, the only issues that remain are a still-prominant lagging problem with the computer. I'll try to resolve this by uninstalling unused programs, etc. And again, just the People PC homepage issue I mentioned earlier, but I'll continue to figure that one out... knowing its more than likely not a hijack or virus issue makes it more optimistic to resolve.

This forum.. actually the entire site, is unbelievably helpful and my appreciation to you and everyone behind the entire operation. If I have any more issues I'll be sure to post them here.

 

Okay! If you still have the lagging problem after removing some programs then let me know and we will try a few more things.