Please Help: Hijack This Log

Hello,
After following all the READ & RUN ME FIRST steps, I've fixed everything I can. Bitdefender found nothing, but Panda Active found a few things. Attaching the requested logs. Please help, Mari

 

I believe there is a problem with your HJT log, try it again. Also, I need the Bit Defender log as well.

 

Don't have a Bitdefender log, since it didn't find anything... sorry, guess I know even less than not much! Should I run it again and send it?

 

Please see the below thread on how to install and run Spy Sweeper.

• Running Spy Sweeper...

 

OK, will do. Thank You!

 

Attach the log once completed along with a fresh HJT log.

 

After running Spy Sweeper, computer froze but thankfully after saving the log. When I shut down and restarted got a message saying Spy Sweeper had been damaged and needs to be reinstalled. Should I uninstall?

 

Please look in Add/Remove Programs for the following and uninstall them if found:

Hotbar

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O4 - HKLM\..\Run: [DJRegFix] regedit /s c:\hp\djregfix.reg
O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM FILES\HOTBAR\BIN\4.3.6.0\HBINST.EXE /Upgrade

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} - http://207.188.25.44/11169b6deba53513d201/netzip/RdxIE.cab
O16 - DPF: {C54A28A1-5EBF-11D5-9F0E-00A0C99A7357} (SpeedCtl Class) - http://iweb.intertainer.com/eod/downloads/SpeedTest.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Hotbar ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and proceed with the rest of this fix...

FINAL STEP

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, reboot and let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Everything you recommended went pretty well. Some of the HijackThis entries were stubborn, especially the first four on the list (the "mysearch" and "about: blank" entries.
O4 - HKLM\..\Run: (DJRegFix) regedit /s c:\hp\djregfix.reg was not there to be removed.

O14 - IERESET.INF: SEARCH_PAGE_URL= will not stay removed.
O14 - IERESET.INF: START_PAGE_URL= will not stay removed.

Found no Hotbar hidden program files.
Ad-Aware SE & Spybot S&D scans were both clean.
And the other adjustments went well.

It's running better, but still slow... sometimes the mouse/cursor moves smoothly and sometimes it's very slow and jerky. Super slow to load at startup.

I have McAfee Virus Scan and just downloaded the Outpost Firewall. Is it a good idea to keep CounterSpy running on active status for the time being or not?

Thank you so much!
Mari

 

Almost forgot to mention, as it's loading at startup I get a McAfee alert:
"Suspicious Script Has Been Detected"
"The file C:\HP\HPCoach\hpstart.wsf contains suspicious scripting activity and has been stopped"
This comes up every time I reboot in either safe or normal mode.

 

Download the attached file, save to your desktop. Leave it for now as we will run it in a few seconds.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

O4 - HKLM\..\Run: [HPStart] c:\hp\hpcoach\hpstart.wsf

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

Again, make sure ALL browser windows are closed when you click FIX.

Locate your download, extract the contents, locate the extracted file. Right click and choose "Install".

After you complete the above, reboot and let me know how things are running.

 

OK, startup is a little better & running better too. It's still going through slow places (for no reason that's apparent to me), but right this minute it's running really well!
Those two IERESET entries have not disappeared yet.
I'm seeing real improvement here!
Thank you!

 

Those entries aren't really a threat, are you having any current problems?

 

No! Currently it's all good!
Do you think the machine is clean?

 

Yeah, everything looks good.

If your not having any current problems, see this article on How to Protect yourself from malware!

Surf Safely!

 

A Million Thanks, Oh Great & Benevolent Malware Fighting Freak!
YOU ROCK!

 

Glad I was able to help!

 

Hello again oh Great & Powerful Malware Fighting Freak,

Things went south after we signed off the other day. The system is extremely slow at startup, it freezes and when it spontaneously disconnects from the internet I have to physically disconnect the line to break the phone connection! I did an online Kaspersky scan which it completed but froze and would not save the report. The little information it produced was that it found 1 virus and 2 suspicious objects:
C:\WINDOWS\All... ...nt1.zip/wcmdmgr.exe
C:\WINDOWS\All... ...ry\WildTangent1.zip
I'm attaching a WinPFind report (scanned in safe mode, is that ok?) in the hopes that that will help.
Thank you,
Mari

 

Attach a current HJT log and we will go from there.

 

OK. Thanks.

 

You didn't attach anything?

 

Here it is...

 

Do you use Net Zero?

 

No, a local service that's part of Cisco called maxNetwork.

 

Reason I ask is there is something that's been bugging me but now I can remove it.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please download HOSTER and then follow the below steps.

• Unzip HOSTER to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.

• Click the X to exit the program.

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL

Again, make sure ALL browser windows are closed when you click FIX.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system\nzdd.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system\BDEADMIN.CPL into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, procede with the below steps...

Next, run CCleaner to clean up cookies and temp files.

After you complete this fix, reboot a few times and let me know how things are running.

 

Should all of this be done in normal mode?

 

Yeah that's fine!

 

I rebooted in safe mode at first and got a McAfee alert saying that "C:\PCHEALTHHELPCTR\BINARIES\HELPCTR.EXE is trying to write suspicious script". After blocking the script I couldn't access anything.

After rebootingin normal mode, but before attempting to open Ccleaner, I got an error message from Windows Registry Checker: "Windows encountered an error accessing the registry. Windows will repair the registry & restart your computer." "OK"

If I click OK will the changes disappear? Will the bad things come back?
To click or not to click, that is the question...

 

Pardon, meant to say first that I followed all the instructions and everything went smoothly with Hoster & KillBox. I hadn't go your message about normal mode yet and I've been leapfrogging between computers on different floors of the building. So I thought after the procedures rebooting in safe mode to use Ccleaner was ok.
Did I screw up?

 

I would disable McAfee when running fixes but if you completed them with no problem it should be ok.

I'm not sure wht McAfee notified about that script. I would just allow it and see what happens.

Are things running ok?

 

Not sure yet, please see post #29 re: Windows Registry Checker.
What do you think?

 

Not sure why that came up, does it still come up on boot?

One thing I should mention is that your have McAfee and Norton installed. NSW includes the AV so I would try to uninstall one of the AV's to avoid having conflicts.

 

Don't know yet.

When I opted out of Windows without clicking OK to the registry checker I think is restored the system to where it was before the fixes. "Invalid disc, insert system disc and press any key." is the message even though there was not a disc in the drive at the time.
I had loaded Hoster & KillBox from a floppy since it had been downloaded on another computer. When rebooting after the fixes I forgot it was still in the drive and received this message, so I removed it and restarted, no biggie...(?)
Now it won't bootup so I'm running a Norton rescue disc.
I only have McAfee AV, the Norton is just a utilities program which comes in handy sometimes.

 

You guys should revisit those items deleted in post #26. Most were legit. The registry error may be coming as a result of deleting VMMHIBER.W9X
(Hopefully you still have the backups )

'Course, I could be wrong - Not too familiar with Windows ME.

PP

 

I'm not sure what's going on but NSW has NAV with it unless you just have the Norton Utilities pack in which case this is ok. Having this and McAfee will slow you system down a lot.

What error do you get on boot?

 

The file "VMMHIBER.W9X" is part of Hibernation I believe but it appeared as an infection per the WinPfind log I think it was. They were displayed in the HOSTS file.

 

I think that is an error - I've seen similar with ME machines and PFind. May be a safe bet to go back and double-check.

'Course you could be right and they are bad - Safer bet would've been to submit them to Jotti for analysis before deleting them . . . .

http://virusscan.jotti.org/​

PP

 

I read many other cases were they were bad. Thanks for the tips!

 

"Invalid system disc Please insert valid system disc and press any key"

The Norton (utilities) rescue disc found nothing wrong with either drive A or C.
But still getting the same message whether rebooting Ctrl/Alt/Delete or manually. Attempted to use the emergency start disc generated by the OS, embarassingly enough I'm no good with DOS, so I'm getting no where.

 

Is there a disc in any drive during boot?

Can you get into Safe Mode?

 

I've tried booting with and without disc in the drive, to no avail.
I could get probably get into safe mode if I knew what command to type with the emergency start disc.

 

Do you know how to do a re-install over your current install without formatting?

If so, I would go ahead and do this because apparently something is wrong with the boot. Personally this is why I hate WinME.

 

Ya' know, I've heard lots of folks bad-mouthin' WinME and I've never understood it until NOW!
Can't do a re-install until the CD-Rom drive is replaced.
Maybe I better call my local geek...

 

Your CD-ROM isnt working?

If your CD drive isnt working that would be the best thing because there isn't much we can online without the drive.

 

Certainly not!
Others may read this and think those are bad and go ahead and delete them.
I think most are OK.
For example, for an ME system, C:\Windows\user.dat stores user-specific registry info.

You guys might try a System Restore and have another go at it, if you still have a valid resore point . . . . .

PP

 

Yes, it's a CD-Rom/rw drive that's toasted due to overuse.
Thinking of replacing it myself, but since I've never done more hardware work than add memory it's a little intimidating.
Guess it's time to get it done!

 

It's not hard at all, just unplug three things unscrew anf replace. Hook it up just like it was.

 

That really does sound easy.
I'll go get a new one and post you back when it's installed.
Thanks,
Mari

 

If you have any problems, just let me know!