wskesler
asked on
HijackThis Log
I've cleaned a lot of spyware, adware, and viruses from a PC running Win 98. It still freezes temporarily or runs slow sometimes.
Here's the HJT log. Can someone look through it and tell me what looks like a potential problem in it?
Logfile of HijackThis v1.99.1
Scan saved at 12:32:40 PM, on 04/20/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32 .DLL
C:\WINDOWS\SYSTEM\MSGSRV32 .EXE
C:\WINDOWS\SYSTEM\MPREXE.E XE
C:\WINDOWS\SYSTEM\mmtask.t sk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY. EXE
C:\WINDOWS\SYSTEM\QTTASK.E XE
C:\WINDOWS\SYSTEM\STIMON.E XE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.E XE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC. EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSV R.EXE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.E XE
C:\WINDOWS\SYSTEM\WMIEXE.E XE
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGW.EX E
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.att.net
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - URLSearchHook: (no name) - {16053E0E-8AE3-FE17-C1AF-F 98ADEA7FA9 C} - C:\WINDOWS\SYSTEM\KTR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\SYSTEM\MSDXM.OC X
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9 620D33362C 1} - C:\PROGRAM FILES\COX\APPLICATIONS\APP \AUTHBHO.D LL (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A A305ED9D92 2} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK. EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E XE
O4 - HKLM\..\Run: [Windows Plug and Play Service 32 BIT] WINMANAGER32.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\A VGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\A VGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\A VGAMSVR.EX E
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw rScheme
O4 - HKLM\..\RunServices: [Windows Plug and Play Service 32 BIT] WINMANAGER32.EXE
O4 - HKLM\..\RunServices: [CurtainsSysSvc] c:\program files\cox\applications\app \AuthSL.ex e
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1 \OFFICE10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\ search.htm l
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B 4C75499B57 8} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-0 0C04FAEA83 F} - C:\PROGRA~1\ONLINE~1\MSN50 \OCX\MSNFO RIE.DLL (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi ns\NPDocBo x.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGI NS\nppdf32 .dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-0 0A0C9CD5F8 A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {FFFF0001-0001-101A-A3C9-0 8002B2F49F B} - http://download.energy-factor.com/plug/dscert_652.exe
Here's the HJT log. Can someone look through it and tell me what looks like a potential problem in it?
Logfile of HijackThis v1.99.1
Scan saved at 12:32:40 PM, on 04/20/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32
C:\WINDOWS\SYSTEM\MSGSRV32
C:\WINDOWS\SYSTEM\MPREXE.E
C:\WINDOWS\SYSTEM\mmtask.t
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.
C:\WINDOWS\SYSTEM\QTTASK.E
C:\WINDOWS\SYSTEM\STIMON.E
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.E
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSV
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.2\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.E
C:\WINDOWS\SYSTEM\WMIEXE.E
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGW.EX
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {16053E0E-8AE3-FE17-C1AF-F
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-A
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.E
O4 - HKLM\..\Run: [Windows Plug and Play Service 32 BIT] WINMANAGER32.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\A
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\A
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\A
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPw
O4 - HKLM\..\RunServices: [Windows Plug and Play Service 32 BIT] WINMANAGER32.EXE
O4 - HKLM\..\RunServices: [CurtainsSysSvc] c:\program files\cox\applications\app
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-0
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGI
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-0
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {FFFF0001-0001-101A-A3C9-0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've scanned the PC multiple times with updated Spybot and Ad-Aware SE. Also installed, updated, and ran AVG antivirus. All found lots of stuff that I deleted. Not sure about some of the entries found in the HJT log, as this is a friend's teenager's PC (explains all the garbage).
Ewido doesn't support Win 98, but I did use just now load and run Avast...it found about 15 more things that it removed. I'm worried about what it couldn't repair, though...
File Name: C:\\Windows\System.Dat
Malware Name: Win32:Volage-G (wrm)
Also, AVG scans find and can seem to remove a problem with C:\Windows\System\iniwin32 .dll
Ewido doesn't support Win 98, but I did use just now load and run Avast...it found about 15 more things that it removed. I'm worried about what it couldn't repair, though...
File Name: C:\\Windows\System.Dat
Malware Name: Win32:Volage-G (wrm)
Also, AVG scans find and can seem to remove a problem with C:\Windows\System\iniwin32
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For the files that could not be fixed by AV programs, boot into DOS mode, then rename the offending files, then boot in normal windows mode and re-run the scan. That should fix those.
ASKER
Thx for all the help so far. Did most of what was recommended, and all of the scans that I run now come up clean. When I start the PC, I can open and close Excel, Word, etc. multiple times with no problem. Once I open Internet Explorer (which works fine), close it, and try again to open another application the PC just freezes, though.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all the help. I split up points based on recommendations that progressively solved the problems. Thanks again.
http://hijackthis.de/logfiles/cac5f1e789d405034a83fd82231373dc.html
Remove the "Nasty" entries and also the "Possibly Nasty" entries that you don't recognize
---
Harish