Spyware & Trojans are dragging my laptop down...

I have a Sony Vaio which is over 5 years old, running Windows 98 SE. I had a whole bunch of spyware on my PC, and was able to wipe out some of it. My laptop is functioning pretty well w/ Firefox, but is slow overall. I still have a process hijacking my IE homepage every time I boot up. Not that I ever want to use that piece of junk program again, but I know there's still plenty wrong. It's trying to change it to http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome

What I've done...

From MajorGeeks site: I installed and ran all of the following suggestions. Each process completed unless otherwise noted.

Ad-Aware SE w/ Ad-Aware VX2 Cleaner Plug-In
CCleaner
Spybot
SpywareBlaster
McAfee AVERT Stinger
CWShredder
Kill2me
about:Buster
HSRemove - unable to use (not for Win 98)

Bitdefender
RavAntivirus - unable to run (site not allowing downloads)

TrojanScan
TrendMicro Virus Scan
a-squared
Avast!
ADS Spy - unable to run

Additional processes I ran: SpywareGuard, Webroot Spy Sweeper, Registry Mechanic (free version - limited fixes), Trend Micro Spyware

The following are spyware/malware that were found (and which I deleted) by various programs.

Adaware SE found:
MRU List (13 objects)
Alexa (8 objects)
PromulGate (1 object)

Spybot S&D found:
Alexa Related
Myway.MyBar

TrojanScan found:
Adware.Look2Me.ag (11 objects)
Adware.MediaTickets.p (1 object)

Trend Micro Spyware found:
PurityScan (1 object)
Sharman Networks LTD - old Kazaa files (52 objects)
BHOT_IBISLLC (1 object)
Effective-i Inc (1 object)
2020Search.com (1 object)
ADW_ABETTERINTERNET_VX2 (1 object)


I still have some "junk" listed in my MSCONFIG file. I've unchecked those that I know don't need to be there. I'm not sure if I have to allow those to boot up on start up to get a proper HijackThis file or not, and I'm hoping you can help me with the next steps.

Thanks in advance for your help!

 

Hi there, thanks for the quick reply. I allowed all programs to start up and then ran the hijackThis file, which is attached. If you need any other info from me, please just let me know. Thanks!

 

I was doing some digging around today, and I think I have the Peper Trojan, among several other issues. I ran my HJT file on Help2Go Detective and Hijack This Analysis, and Help2Go listed this entry ->
O4 - HKLM\..\Run: [4496QZW3E9RJPS] C:\WINDOWS\SYSTEM\Rydo74k.exe
as a possible Peper Trojan. I found this post from MajorGeeks to delete the Peper Trojan -> http://forum.majorgeeks.com/showthread.php?t=69332&highlight=peper, I'd just like to verify that's still the best way before doing anything.

After searching for my other entries through TonyK's BHO & Toolbar List and Pacman's Startup List, I think these are the other entries I need to get rid of:
O4 - HKCU\..\Run: [BPCAdVision] C:\Program Files\bepaid.com\AdVision Control\AdVision.exe
O4 - HKCU\..\Run: [Smos] C:\Program Files\erpc\rsoh.exe (already was deleted with one of the spyware programs I used, but still appears in MSCONFIG)
O4 - HKLM\..\Run: [xzsuqb] c:\windows\system\xzsuqb.exe
O4 - HKLM\..\Run: [JBMSystrayUtility] UsbJbm.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [Ccl.exe] C:\WINDOWS\TEMP\CCL.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-K13W13.EXE
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

There very well may be other issues, I'm just trying to help do a little legwork too. Thanks for your help.

 

Thanks for the reply - I followed those steps as much as I could, but still
have the redirect hijack going on when I rebooted.

Advision wasn't in my Add/Remove, so I couldn't do that.

I had HJT fix the all the lines you posted. However, none of the following
were in the folders you mentioned, so I couldn't delete them.

C:\WINDOWS\TEMP\CCL.EXE <--delete file
C:\WINDOWS\SYSTEM\DP-K13W13.EXE<--delete file
C:\WINDOWS\SYSTEM\Rydo74k.exe<--delete file
c:\windows\system\xzsuqb.exe<--delete file
C:\Program Files\bepaid.com\AdVision Control\AdVision.exe<-- delete whole
folder

I was able to delete this folder:
C:\Program Files\erpc\rsoh.exe <--delete whole erpc folder[/b]

I ran Ccleaner, and my new HJT log is attached. I noticed I have a Rnaapp
process running each time I boot my computer. I connect via wireless cable
modem, so I'm not sure if that's a problem there.

 

I followed those steps, and I hate to say it, but the redirect hijack is still there, and for some reason my system has slowed to a crawl! Whatever junk I have on here isn't going away easily. I've deleted this file -> O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) several times, and it just keeps coming back. I've attached the latest log file below.

Thanks again for your help!

 

These 2 jackass files just won't go away!
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -

I deleted them again through HJT - and they show up once I reboot.

I ran Hoster without a problem, but couldn't run Ewido on my 98SE PC - it said it had to be 2000 or higher to run...

The good news is my system is running much better - still a little slow, but I wiped out some of the start up processes (including a bunch of spyware fighter programs) that were slowing things down. The redirect hijack (http://www.microsoft.com/isapi/redir.dll?prd=iepver=6ar=msnhome) also seems to have gone away.

That Rnaapp file still comes on during the startup process, and I can't find a reason for that to happen. I'm not sure if that's tied in to those 2 entries I can't get rid of.

I've attached the latest HJT log, hopefully there's something as an alternative to Ewido that I can use to get rid of those 2 persistent entries.

Thanks again for your help!

 

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) -- This belongs to Spyware Doctor - Not malicious. It is their "Site Guard." You must've uninstalled it at some point in time.

You should disable SpyBot's Tea Timer as it might be preventing removal of the reg key. Then, for good measure, boot to safe mode and try to remove it and that 016 entry.

PP

 

Hi guys,
I'm not getting an error message for Rnaapp when I start up, I just see it as a running process. From what I've read, it has to do with dial-up networking but can be used as a worm/malware process. It seems to disappear after a while once the start-up is done.

I already tried to delete those two files in safe mode, and each time it shows them as deleted. Then I reboot and they're back - that just seems suspicious to me...

The Rnaapp.exe file is in my C:\Windows\System folder - I'm not sure if it's legit or not. Do you think I should delete it?

 

Navigate to it, RightClick it and get its Property and Version info. Let us know what you find.

Also, if you are uneasy about deleting it, try RightClicking it and renaming it to Rnaapp.bad - That will stop it from running and, if it turns out to be needed, you can just change it back.

PP

 

Thanks, PP -

It looks legit, but I renamed it anyway as I don't have a need for it.

File Version: 4.10.2222
Description: Dial-Up Networking Application
Copyright: Copyright (C) Microsoft Corp. 1992-1996

I'll try rebooting in safe mode again and wipe out those 2 entries. I'll post back when I do that - thanks!