Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help wanted on very sick computer


  • This topic is locked This topic is locked
13 replies to this topic

#1 disaster

disaster

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 24 November 2004 - 06:56 AM

I am having alot of trouble with my windows 98 based PC. Programmes are very slow to run and the browser keeps getting redirected. Sytem resource is only about 30% free.

I have run Adaware and Spybot but when I reboot the same problems remain. I have tried to run an online virus scan from Pandasoftware but it crashed. I am also finding it very difficult to update Adaware and spybot as it tends to get stuck.

Any help would be very much appreciated. I enclose the Hijackthis log



Logfile of HijackThis v1.98.2
Scan saved at 21:03:14, on 23/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\APPYP32.EXE
C:\WINDOWS\MSHE32.EXE
C:\WINDOWS\SYSTEM\JAVAYP32.EXE
C:\WINDOWS\SYSTEM\APIOL32.EXE
C:\WINDOWS\APPCJ32.EXE
C:\WINDOWS\SYSTEM\SDKID32.EXE
C:\WINDOWS\NETXS32.EXE
C:\WINDOWS\IECN32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSJA.EXE
C:\WINDOWS\CRKU32.EXE
C:\WINDOWS\NETBB32.EXE
C:\WINDOWS\SYSDL.EXE
C:\WINDOWS\SYSTEM\APPWC32.EXE
C:\WINDOWS\SYSTEM\JAVAIG32.EXE
C:\WINDOWS\SYSTEM\D3IF.EXE
C:\WINDOWS\SYSTEM\NTEJ.EXE
C:\WINDOWS\SYSTEM\WINJC32.EXE
C:\WINDOWS\SYSTEM\D3YM.EXE
C:\WINDOWS\APIOK.EXE
C:\WINDOWS\SYSTEM\IPXR.EXE
C:\WINDOWS\D3YQ.EXE
C:\WINDOWS\SYSDD32.EXE
C:\WINDOWS\D3SK32.EXE
C:\WINDOWS\IEKH32.EXE
C:\WINDOWS\MFCNH32.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\SYSTEM\SYSXZ32.EXE
C:\WINDOWS\ATLDK32.EXE
C:\WINDOWS\WINYF.EXE
C:\WINDOWS\SYSTEM\SDKCR32.EXE
C:\WINDOWS\SYSTEM\JAVAMK32.EXE
C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
C:\WINDOWS\NETAY32.EXE
C:\WINDOWS\D3NM32.EXE
C:\WINDOWS\MFCVT.EXE
C:\WINDOWS\ATLFZ.EXE
C:\WINDOWS\MSGY32.EXE
C:\WINDOWS\SYSTEM\IPYN.EXE
C:\WINDOWS\NTNQ.EXE
C:\WINDOWS\SYSTEM\SYSKB.EXE
C:\WINDOWS\IEUD32.EXE
C:\WINDOWS\SYSTEM\IPTZ.EXE
C:\WINDOWS\SYSTEM\MSHQ.EXE
C:\WINDOWS\SYSTEM\NTMX32.EXE
C:\WINDOWS\SYSTEM\MFCBT.EXE
C:\WINDOWS\SYSTEM\CRXD32.EXE
C:\WINDOWS\NTBA.EXE
C:\WINDOWS\ADDMC32.EXE
C:\WINDOWS\APICP.EXE
C:\WINDOWS\ATLOP.EXE
C:\WINDOWS\SYSTEM\IEKJ.EXE
C:\WINDOWS\SYSTEM\APPWD.EXE
C:\WINDOWS\SYSTEM\NTRH32.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM\MFCKM.EXE
C:\WINDOWS\CRKQ.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\D3BA.EXE
C:\WINDOWS\SYSTEM\MSFM.EXE
C:\WINDOWS\ADDPO32.EXE
C:\WINDOWS\SYSTEM\WINOD.EXE
C:\WINDOWS\D3QG.EXE
C:\WINDOWS\ADDAY.EXE
C:\WINDOWS\NETPC.EXE
C:\WINDOWS\SYSTEM\MSND32.EXE
C:\WINDOWS\SYSTEM\SYSFY.EXE
C:\WINDOWS\SYSTEM\JAVAAT32.EXE
C:\WINDOWS\D3SA32.EXE
C:\WINDOWS\SYSTEM\ADDYW.EXE
C:\WINDOWS\SYSTEM\APPBH32.EXE
C:\WINDOWS\ATLQZ32.EXE
C:\WINDOWS\JAVAVS32.EXE
C:\WINDOWS\IPPT32.EXE
C:\WINDOWS\D3XI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\APIKY32.EXE
C:\WINDOWS\ADDHA.EXE
C:\WINDOWS\MFCVG32.EXE
C:\WINDOWS\MFCQM32.EXE
C:\WINDOWS\JAVAYJ32.EXE
C:\WINDOWS\SYSTEM\APIRZ.EXE
C:\WINDOWS\MSHB32.EXE
C:\WINDOWS\SYSNV32.EXE
C:\WINDOWS\SYSTEM\NETYM.EXE
C:\WINDOWS\SYSTEM\NTEM.EXE
C:\WINDOWS\APPXX32.EXE
C:\WINDOWS\SYSTEM\SDKGO32.EXE
C:\WINDOWS\SYSTEM\NETCQ32.EXE
C:\WINDOWS\SYSUY32.EXE
C:\WINDOWS\SYSTEM\JAVAJS32.EXE
C:\WINDOWS\SYSTEM\JAVAPT.EXE
C:\WINDOWS\IEDR32.EXE
C:\WINDOWS\ATLTM.EXE
C:\WINDOWS\SYSTEM\SYSMN.EXE
C:\WINDOWS\SYSAS32.EXE
C:\WINDOWS\SYSTEM\MSSC.EXE
C:\WINDOWS\IEUE.EXE
C:\WINDOWS\APIWG.EXE
C:\WINDOWS\NETEX32.EXE
C:\WINDOWS\SYSTEM\IPRK32.EXE
C:\WINDOWS\APPOM32.EXE
C:\WINDOWS\MSFB.EXE
C:\WINDOWS\NETZL.EXE
C:\WINDOWS\SYSTEM\SYSPA32.EXE
C:\WINDOWS\SYSTEM\MSSB32.EXE
C:\WINDOWS\IEAC32.EXE
C:\WINDOWS\SDKPV32.EXE
C:\WINDOWS\SYSTEM\IPLZ.EXE
C:\WINDOWS\SYSTEM\IPMT.EXE
C:\WINDOWS\APICX.EXE
C:\WINDOWS\IPNE32.EXE
C:\WINDOWS\SYSTEM\JAVAYH32.EXE
C:\WINDOWS\MFCWJ.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {5BA426C5-FB02-68E6-5AAF-4FD3DFFBFCED} - C:\WINDOWS\SYSTEM\JAVAIK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [JAVAYP32.EXE] C:\WINDOWS\SYSTEM\JAVAYP32.EXE
O4 - HKLM\..\RunServices: [NETXS32.EXE] C:\WINDOWS\NETXS32.EXE
O4 - HKLM\..\RunServices: [APPYP32.EXE] C:\WINDOWS\APPYP32.EXE
O4 - HKLM\..\RunServices: [MSHE32.EXE] C:\WINDOWS\MSHE32.EXE
O4 - HKLM\..\RunServices: [SDKID32.EXE] C:\WINDOWS\SYSTEM\SDKID32.EXE
O4 - HKLM\..\RunServices: [MSJA.EXE] C:\WINDOWS\SYSTEM\MSJA.EXE
O4 - HKLM\..\RunServices: [APIOL32.EXE] C:\WINDOWS\SYSTEM\APIOL32.EXE
O4 - HKLM\..\RunServices: [IECN32.EXE] C:\WINDOWS\IECN32.EXE
O4 - HKLM\..\RunServices: [APPCJ32.EXE] C:\WINDOWS\APPCJ32.EXE
O4 - HKLM\..\RunServices: [SYSDL.EXE] C:\WINDOWS\SYSDL.EXE
O4 - HKLM\..\RunServices: [CRKU32.EXE] C:\WINDOWS\CRKU32.EXE
O4 - HKLM\..\RunServices: [APPWC32.EXE] C:\WINDOWS\SYSTEM\APPWC32.EXE
O4 - HKLM\..\RunServices: [NETBB32.EXE] C:\WINDOWS\NETBB32.EXE
O4 - HKLM\..\RunServices: [JAVAIG32.EXE] C:\WINDOWS\SYSTEM\JAVAIG32.EXE
O4 - HKLM\..\RunServices: [D3IF.EXE] C:\WINDOWS\SYSTEM\D3IF.EXE
O4 - HKLM\..\RunServices: [NTEJ.EXE] C:\WINDOWS\SYSTEM\NTEJ.EXE
O4 - HKLM\..\RunServices: [D3YM.EXE] C:\WINDOWS\SYSTEM\D3YM.EXE
O4 - HKLM\..\RunServices: [WINJC32.EXE] C:\WINDOWS\SYSTEM\WINJC32.EXE
O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
O4 - HKLM\..\RunServices: [APIOK.EXE] C:\WINDOWS\APIOK.EXE
O4 - HKLM\..\RunServices: [D3YQ.EXE] C:\WINDOWS\D3YQ.EXE
O4 - HKLM\..\RunServices: [SYSDD32.EXE] C:\WINDOWS\SYSDD32.EXE
O4 - HKLM\..\RunServices: [D3SK32.EXE] C:\WINDOWS\D3SK32.EXE
O4 - HKLM\..\RunServices: [IEKH32.EXE] C:\WINDOWS\IEKH32.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [MFCNH32.EXE] C:\WINDOWS\MFCNH32.EXE
O4 - HKLM\..\RunServices: [SYSXZ32.EXE] C:\WINDOWS\SYSTEM\SYSXZ32.EXE
O4 - HKLM\..\RunServices: [WINYF.EXE] C:\WINDOWS\WINYF.EXE
O4 - HKLM\..\RunServices: [ATLDK32.EXE] C:\WINDOWS\ATLDK32.EXE
O4 - HKLM\..\RunServices: [JAVAMK32.EXE] C:\WINDOWS\SYSTEM\JAVAMK32.EXE
O4 - HKLM\..\RunServices: [SDKCR32.EXE] C:\WINDOWS\SYSTEM\SDKCR32.EXE
O4 - HKLM\..\RunServices: [JAVAKJ32.EXE] C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
O4 - HKLM\..\RunServices: [NETAY32.EXE] C:\WINDOWS\NETAY32.EXE
O4 - HKLM\..\RunServices: [D3NM32.EXE] C:\WINDOWS\D3NM32.EXE
O4 - HKLM\..\RunServices: [MFCVT.EXE] C:\WINDOWS\MFCVT.EXE
O4 - HKLM\..\RunServices: [MSGY32.EXE] C:\WINDOWS\MSGY32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\ATLFZ.EXE
O4 - HKLM\..\RunServices: [NTNQ.EXE] C:\WINDOWS\NTNQ.EXE
O4 - HKLM\..\RunServices: [IPYN.EXE] C:\WINDOWS\SYSTEM\IPYN.EXE
O4 - HKLM\..\RunServices: [IEUD32.EXE] C:\WINDOWS\IEUD32.EXE
O4 - HKLM\..\RunServices: [SYSKB.EXE] C:\WINDOWS\SYSTEM\SYSKB.EXE
O4 - HKLM\..\RunServices: [NTMX32.EXE] C:\WINDOWS\SYSTEM\NTMX32.EXE
O4 - HKLM\..\RunServices: [MSHQ.EXE] C:\WINDOWS\SYSTEM\MSHQ.EXE
O4 - HKLM\..\RunServices: [IPTZ.EXE] C:\WINDOWS\SYSTEM\IPTZ.EXE
O4 - HKLM\..\RunServices: [CRXD32.EXE] C:\WINDOWS\SYSTEM\CRXD32.EXE
O4 - HKLM\..\RunServices: [MFCBT.EXE] C:\WINDOWS\SYSTEM\MFCBT.EXE
O4 - HKLM\..\RunServices: [NTBA.EXE] C:\WINDOWS\NTBA.EXE
O4 - HKLM\..\RunServices: [APICP.EXE] C:\WINDOWS\APICP.EXE
O4 - HKLM\..\RunServices: [ADDMC32.EXE] C:\WINDOWS\ADDMC32.EXE
O4 - HKLM\..\RunServices: [ATLOP.EXE] C:\WINDOWS\ATLOP.EXE
O4 - HKLM\..\RunServices: [APPWD.EXE] C:\WINDOWS\SYSTEM\APPWD.EXE
O4 - HKLM\..\RunServices: [IEKJ.EXE] C:\WINDOWS\SYSTEM\IEKJ.EXE
O4 - HKLM\..\RunServices: [MFCKM.EXE] C:\WINDOWS\SYSTEM\MFCKM.EXE
O4 - HKLM\..\RunServices: [NTRH32.EXE] C:\WINDOWS\SYSTEM\NTRH32.EXE
O4 - HKLM\..\RunServices: [CRKQ.EXE] C:\WINDOWS\CRKQ.EXE
O4 - HKLM\..\RunServices: [MSFM.EXE] C:\WINDOWS\SYSTEM\MSFM.EXE
O4 - HKLM\..\RunServices: [D3BA.EXE] C:\WINDOWS\SYSTEM\D3BA.EXE
O4 - HKLM\..\RunServices: [ADDPO32.EXE] C:\WINDOWS\ADDPO32.EXE
O4 - HKLM\..\RunServices: [WINOD.EXE] C:\WINDOWS\SYSTEM\WINOD.EXE
O4 - HKLM\..\RunServices: [D3QG.EXE] C:\WINDOWS\D3QG.EXE
O4 - HKLM\..\RunServices: [ADDAY.EXE] C:\WINDOWS\ADDAY.EXE
O4 - HKLM\..\RunServices: [SYSFY.EXE] C:\WINDOWS\SYSTEM\SYSFY.EXE
O4 - HKLM\..\RunServices: [NETPC.EXE] C:\WINDOWS\NETPC.EXE
O4 - HKLM\..\RunServices: [MSND32.EXE] C:\WINDOWS\SYSTEM\MSND32.EXE
O4 - HKLM\..\RunServices: [JAVAAT32.EXE] C:\WINDOWS\SYSTEM\JAVAAT32.EXE
O4 - HKLM\..\RunServices: [D3SA32.EXE] C:\WINDOWS\D3SA32.EXE
O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\SYSTEM\ADDYW.EXE
O4 - HKLM\..\RunServices: [ATLQZ32.EXE] C:\WINDOWS\ATLQZ32.EXE
O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE
O4 - HKLM\..\RunServices: [JAVAVS32.EXE] C:\WINDOWS\JAVAVS32.EXE
O4 - HKLM\..\RunServices: [IPPT32.EXE] C:\WINDOWS\IPPT32.EXE
O4 - HKLM\..\RunServices: [D3XI.EXE] C:\WINDOWS\D3XI.EXE
O4 - HKLM\..\RunServices: [APIKY32.EXE] C:\WINDOWS\APIKY32.EXE
O4 - HKLM\..\RunServices: [ADDHA.EXE] C:\WINDOWS\ADDHA.EXE
O4 - HKLM\..\RunServices: [MFCVG32.EXE] C:\WINDOWS\MFCVG32.EXE
O4 - HKLM\..\RunServices: [MFCQM32.EXE] C:\WINDOWS\MFCQM32.EXE
O4 - HKLM\..\RunServices: [JAVAYJ32.EXE] C:\WINDOWS\JAVAYJ32.EXE
O4 - HKLM\..\RunServices: [APIRZ.EXE] C:\WINDOWS\SYSTEM\APIRZ.EXE
O4 - HKLM\..\RunServices: [NTEM.EXE] C:\WINDOWS\SYSTEM\NTEM.EXE
O4 - HKLM\..\RunServices: [NETYM.EXE] C:\WINDOWS\SYSTEM\NETYM.EXE
O4 - HKLM\..\RunServices: [APPXX32.EXE] C:\WINDOWS\APPXX32.EXE
O4 - HKLM\..\RunServices: [SYSNV32.EXE] C:\WINDOWS\SYSNV32.EXE
O4 - HKLM\..\RunServices: [MSHB32.EXE] C:\WINDOWS\MSHB32.EXE
O4 - HKLM\..\RunServices: [SDKGO32.EXE] C:\WINDOWS\SYSTEM\SDKGO32.EXE
O4 - HKLM\..\RunServices: [NETCQ32.EXE] C:\WINDOWS\SYSTEM\NETCQ32.EXE
O4 - HKLM\..\RunServices: [SYSUY32.EXE] C:\WINDOWS\SYSUY32.EXE
O4 - HKLM\..\RunServices: [JAVAJS32.EXE] C:\WINDOWS\SYSTEM\JAVAJS32.EXE
O4 - HKLM\..\RunServices: [IEDR32.EXE] C:\WINDOWS\IEDR32.EXE
O4 - HKLM\..\RunServices: [JAVAPT.EXE] C:\WINDOWS\SYSTEM\JAVAPT.EXE
O4 - HKLM\..\RunServices: [SYSAS32.EXE] C:\WINDOWS\SYSAS32.EXE
O4 - HKLM\..\RunServices: [SYSMN.EXE] C:\WINDOWS\SYSTEM\SYSMN.EXE
O4 - HKLM\..\RunServices: [ATLTM.EXE] C:\WINDOWS\ATLTM.EXE
O4 - HKLM\..\RunServices: [MSSC.EXE] C:\WINDOWS\SYSTEM\MSSC.EXE
O4 - HKLM\..\RunServices: [IEUE.EXE] C:\WINDOWS\IEUE.EXE
O4 - HKLM\..\RunServices: [IPRK32.EXE] C:\WINDOWS\SYSTEM\IPRK32.EXE
O4 - HKLM\..\RunServices: [NETEX32.EXE] C:\WINDOWS\NETEX32.EXE
O4 - HKLM\..\RunServices: [APIWG.EXE] C:\WINDOWS\APIWG.EXE
O4 - HKLM\..\RunServices: [SYSPA32.EXE] C:\WINDOWS\SYSTEM\SYSPA32.EXE
O4 - HKLM\..\RunServices: [APPOM32.EXE] C:\WINDOWS\APPOM32.EXE
O4 - HKLM\..\RunServices: [MSFB.EXE] C:\WINDOWS\MSFB.EXE
O4 - HKLM\..\RunServices: [NETZL.EXE] C:\WINDOWS\NETZL.EXE
O4 - HKLM\..\RunServices: [MSSB32.EXE] C:\WINDOWS\SYSTEM\MSSB32.EXE
O4 - HKLM\..\RunServices: [SDKPV32.EXE] C:\WINDOWS\SDKPV32.EXE
O4 - HKLM\..\RunServices: [IPLZ.EXE] C:\WINDOWS\SYSTEM\IPLZ.EXE
O4 - HKLM\..\RunServices: [IEAC32.EXE] C:\WINDOWS\IEAC32.EXE
O4 - HKLM\..\RunServices: [IPMT.EXE] C:\WINDOWS\SYSTEM\IPMT.EXE
O4 - HKLM\..\RunServices: [APICX.EXE] C:\WINDOWS\APICX.EXE
O4 - HKLM\..\RunServices: [JAVAYH32.EXE] C:\WINDOWS\SYSTEM\JAVAYH32.EXE
O4 - HKLM\..\RunServices: [IPNE32.EXE] C:\WINDOWS\IPNE32.EXE
O4 - HKLM\..\RunServices: [MFCWJ.EXE] C:\WINDOWS\MFCWJ.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 24 November 2004 - 02:45 PM

I am having alot of trouble with my windows 98 based PC

Yes, you have a sick puppy there, disaster. I'll get started checking on it and it'll likely occupy us 24 hours. Hang in there. :flowers:
Regarding the HijackThis: C:\WINDOWS\TEMP\HIJACKTHIS.EXE should look like this: C:\MY DOCUMENTS\HJT\HIJACKTHIS.EXE or C:\HJT\HIJACKTHIS.EXE on your log. In either of these ways the program will save backups automatically to it's permanent folder and we may need them.
Please make a new folder and either move the existing file to it, or download the HijackThis once again and have the new folder ready to extract the .zip folder into it.

I have tried to run an online virus scan from Pandasoftware but it crashed.

Let that go for the moment. We can concentrate on the hijack problem.

I am also finding it very difficult to update Adaware and spybot as it tends to get stuck.

These two represent an important part of fixing the problem. We can work around them being out-dated, but it's best not to. How long ago did you update them?
MSIE: Internet Explorer v6.00 (6.00.2600.0000) = the version of your Internet Explorer. Newest Version is: 6.00.2800.1106, so an update is available which generally means better security patches. Windows Updates should be done regularly. If possible, you could visit windowsupdate.com and check into the matter while we determine the steps required to get rid of the hijack and related problems. :thumbsup:

Edited by phawgg, 24 November 2004 - 03:32 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 24 November 2004 - 04:29 PM

a couple more questions for you, disaster:
  • http://www.freeserve.com/ Is this your chosen start page?
  • Domain = ntu.ac.uk Does this and the entry below look like your chosen ISP's? (dialup or cable?)
  • NameServer = 152.71.0.1,152.71.0.2
Please consider answering these and the other questions with a new log. Especially if you've made progress in the updating areas mentioned. It will help somewhat as we consider the best possible fix procedure. Thanks. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#4 disaster

disaster
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 25 November 2004 - 03:54 PM

I have moved hijackthis.exe to C:\hijackthis.

Unfortunately my computer is getting even sicker. I managed to update spybot to the latest signature and ran it. It took so long I left it runing overnight. I then told it to fix the identified problems. They included

coolwebsearch
powerscan
istbar
vx2
DyFuCA
Sidefind
BarginBu..
and a couple of others

Unfortunately on reboot the problems still remain. I can no longer run adaware and I cannot delete it to allow a reinstall. I have tried running CWShredder but it claims the system is OK.

The long download needed to install the update of internet explorer v6 is over 12Mb (service pack 1) and the computer is likely to crash so I haven't done it. Would it be better to install Firefox instead-and if so should I migrate my bookmarks to Firefox, or will this corrupt Firefox as well?

http://www.freeserve.com is my home page. This should automatically redirect to http://www.wanadoo.co.uk/ as they have bought out freeserve.

ntu.ac.uk is not my chosen ISP. This is a legitimate site that I do use though. I have no idea if Nameserver=152.71.0.1,152,71.0.2 is correct. I have so little system memory left that I am having problems posting my latest hijackthis log. I will try and post it in a new message. If I cant do this I post it to you using my work computer tommorow.

#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 25 November 2004 - 05:10 PM

I have moved hijackthis.exe to C:hijackthis.

very good

I have tried running CWShredder but it claims the system is OK.

possibly because spybot got that which it identifies. CWS is always changing, unfortunately.

The long download needed to install the update of internet explorer v6 is over 12Mb (service pack 1) and the computer is likely to crash so I haven't done it.

np, do it when we are finished fixin' the PC.

Would it be better to install Firefox instead

Yes & no. Better to install, yes, I recommend using firefox predominately. Instead? No, you'll need IE on occasion.

and if so should I migrate my bookmarks to Firefox, or will this corrupt Firefox as well?

You can migrate them. Why not wait 'til we finish.

For now, try this: Download peper remover to your desktop (it's very small) 1 - 2 - 3 - 4.
It may help, more needs to be done. It's a holiday & I'm pressed for time, sorry.
patiently patrolling, plenty of persisant pests n' problems ...

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 25 November 2004 - 05:31 PM

This is not a complete fix , but it might help you. If it is the peper trojan, we need to do more. The following may help the immediate problems with downloading, etc.

After running the peper remover Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BA426C5-FB02-68E6-5AAF-4FD3DFFBFCED} - C:\WINDOWS\SYSTEM\JAVAIK.DLL

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT.

THESE SHOULD NOT BE DELETED
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2



While still in safe mode Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\WINDOWS\SYSTEM. We're looking for individual files, unless otherwise noted. The best way to find them is to use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->checkmark: "search system folders", "search hidden files & folders", "search sub-folders". As the case may be, you can also simply navigate to the folders where these files reside, and delete them from there, one at a time. Right-click the individual file & choose "delete". note: there are over a hundred like these, so this may only get us started, but it shouldn't hurt to begin with those listed below.

C:\WINDOWS\SYSTEM\JAVAIK.DLL<--this file
C:\WINDOWS\system\xorvv.dll<--this file

Extract CWShredder 1.59.1, open folder & choose to extract to your desktop. "Finish". Open the folder and double-click on the cwshredder.exe Select Fix

Reboot at least once, perhaps a couple of times to be sure it worked.

Extract AboutBuster 4.0, open folder & choose and choose to extract to your desktop. "Finish". Open the folder and double-click on aboutBuster icon. Start it and press the OK button. Then hit the update button and a new screen will appear. On that screen press the Check for Updates button. If it says it found an update, press Download Updates. If it doesnt it will automatically tell you that it could not find an update and exit. (This program is updated often so you should always use the built in update feature before you scan with.)

To scan your machine, press the Start button and then press OK. The program should start scanning. Scan 1. Scan 2. When it is done, press the exit button and reboot. Once rebooted run About:Buster one more time.

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds. (do this even if you couldn't update it, please)

Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

You may choose to move the programs on your desktop to a permanant folder or simply delete them, perhaps when you're certain the PC is clean.
Run HijackThis again and post the new log as a reply to this post.

Edited by phawgg, 25 November 2004 - 05:33 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#7 disaster

disaster
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 29 November 2004 - 12:31 PM

Unfortunately the computer is still very slow. I booted into safe mode and ran hijack this to delete the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\xorvv.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.scoobidoo.com

I could not find

O2 - BHO: Class - {5BA426C5-FB02-68E6-5AAF-4FD3DFFBFCED} - C:\WINDOWS\SYSTEM\JAVAIK.DLL

Instead there was another file that strarted the same
O2 - BHO: Class - {
then had a series of numbers and letters and finished with
C:\WINDOWS\SYSTEM\MSFS32.DLL

I deleted this instead

I also removed the files

C:\WINDOWS\SYSTEM\JAVAIK.DLL
C:\WINDOWS\system\xorvv.dll
C:\WINDOWS\SYSTEM\MSFS32.DLL

from the computer.

Howevwer on reboot on normal mode it showed no improvement
I have rebooted in safe mode a couple of times. Each time a different
O2 - BHO: Class - {
file appears in the hijack this log. I can no longer run adaware. I have run spybot in safe mode. It took 91/2 hours to run. It found

IE plugin
file located at C\windows\sytb.dll
coolWWWsearch.control
file located at C\windows\system\msto32.dll
coolWWW.featinstaller
file located at C\windows\system\grgmm.dll
DSO exploit
file located at HKEY_USER\DEFAULT\software\microsoft\windows

I then got spybot to remove these files and when I checked they had gone from the computer.

Unfortunately when I rebooted into safe mode I have still got numerous problems. I only have about 15% free system resource so it is very difficult to download from the web.

Latest hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 10:31:19, on 27/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\APPYP32.EXE
C:\WINDOWS\SYSTEM\SDKID32.EXE
C:\WINDOWS\NETXS32.EXE
C:\WINDOWS\SYSTEM\MSJA.EXE
C:\WINDOWS\MSHE32.EXE
C:\WINDOWS\SYSTEM\APIOL32.EXE
C:\WINDOWS\SYSTEM\JAVAYP32.EXE
C:\WINDOWS\IECN32.EXE
C:\WINDOWS\APPCJ32.EXE
C:\WINDOWS\SYSDL.EXE
C:\WINDOWS\CRKU32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NETBB32.EXE
C:\WINDOWS\SYSTEM\JAVAIG32.EXE
C:\WINDOWS\SYSTEM\APPWC32.EXE
C:\WINDOWS\SYSTEM\D3IF.EXE
C:\WINDOWS\SYSTEM\NTEJ.EXE
C:\WINDOWS\SYSTEM\D3YM.EXE
C:\WINDOWS\SYSTEM\WINJC32.EXE
C:\WINDOWS\APIOK.EXE
C:\WINDOWS\D3YQ.EXE
C:\WINDOWS\SYSTEM\IPXR.EXE
C:\WINDOWS\SYSDD32.EXE
C:\WINDOWS\D3SK32.EXE
C:\WINDOWS\CRGM.EXE
C:\WINDOWS\IEKH32.EXE
C:\WINDOWS\MFCNH32.EXE
C:\WINDOWS\WINYF.EXE
C:\WINDOWS\SYSTEM\SYSXZ32.EXE
C:\WINDOWS\ATLDK32.EXE
C:\WINDOWS\SYSTEM\SDKCR32.EXE
C:\WINDOWS\SYSTEM\JAVAMK32.EXE
C:\WINDOWS\D3NM32.EXE
C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
C:\WINDOWS\MFCVT.EXE
C:\WINDOWS\NETAY32.EXE
C:\WINDOWS\MSGY32.EXE
C:\WINDOWS\ATLFZ.EXE
C:\WINDOWS\SYSTEM\IPYN.EXE
C:\WINDOWS\NTNQ.EXE
C:\WINDOWS\SYSTEM\SYSKB.EXE
C:\WINDOWS\IEUD32.EXE
C:\WINDOWS\SYSTEM\NTMX32.EXE
C:\WINDOWS\SYSTEM\MSHQ.EXE
C:\WINDOWS\SYSTEM\IPTZ.EXE
C:\WINDOWS\SYSTEM\CRXD32.EXE
C:\WINDOWS\SYSTEM\MFCBT.EXE
C:\WINDOWS\NTBA.EXE
C:\WINDOWS\APICP.EXE
C:\WINDOWS\ADDMC32.EXE
C:\WINDOWS\ATLOP.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM\APPWD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IEKJ.EXE
C:\WINDOWS\SYSTEM\MFCKM.EXE
C:\WINDOWS\CRKQ.EXE
C:\WINDOWS\SYSTEM\D3BA.EXE
C:\WINDOWS\SYSTEM\NTRH32.EXE
C:\WINDOWS\SYSTEM\MSFM.EXE
C:\WINDOWS\SYSTEM\WINOD.EXE
C:\WINDOWS\D3QG.EXE
C:\WINDOWS\ADDPO32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSFY.EXE
C:\WINDOWS\ADDAY.EXE
C:\WINDOWS\NETPC.EXE
C:\WINDOWS\SYSTEM\MSND32.EXE
C:\WINDOWS\SYSTEM\JAVAAT32.EXE
C:\WINDOWS\D3SA32.EXE
C:\WINDOWS\SYSTEM\ADDYW.EXE
C:\WINDOWS\ATLQZ32.EXE
C:\WINDOWS\SYSTEM\APPBH32.EXE
C:\WINDOWS\JAVAVS32.EXE
C:\WINDOWS\IPPT32.EXE
C:\WINDOWS\D3XI.EXE
C:\WINDOWS\MFCVG32.EXE
C:\WINDOWS\ADDHA.EXE
C:\WINDOWS\MFCQM32.EXE
C:\WINDOWS\APIKY32.EXE
C:\WINDOWS\JAVAYJ32.EXE
C:\WINDOWS\SYSTEM\NTEM.EXE
C:\WINDOWS\MSHB32.EXE
C:\WINDOWS\SYSTEM\NETYM.EXE
C:\WINDOWS\SYSTEM\APIRZ.EXE
C:\WINDOWS\APPXX32.EXE
C:\WINDOWS\SYSNV32.EXE
C:\WINDOWS\SYSTEM\SDKGO32.EXE
C:\WINDOWS\SYSUY32.EXE
C:\WINDOWS\SYSTEM\NETCQ32.EXE
C:\WINDOWS\SYSTEM\JAVAJS32.EXE
C:\WINDOWS\IEDR32.EXE
C:\WINDOWS\SYSTEM\JAVAPT.EXE
C:\WINDOWS\ATLTM.EXE
C:\WINDOWS\SYSTEM\SYSMN.EXE
C:\WINDOWS\SYSAS32.EXE
C:\WINDOWS\IEUE.EXE
C:\WINDOWS\SYSTEM\MSSC.EXE
C:\WINDOWS\SYSTEM\IPRK32.EXE
C:\WINDOWS\NETEX32.EXE
C:\WINDOWS\SYSTEM\SYSPA32.EXE
C:\WINDOWS\APIWG.EXE
C:\WINDOWS\APPOM32.EXE
C:\WINDOWS\MSFB.EXE
C:\WINDOWS\SYSTEM\MSSB32.EXE
C:\WINDOWS\NETZL.EXE
C:\WINDOWS\SDKPV32.EXE
C:\WINDOWS\SYSTEM\IPLZ.EXE
C:\WINDOWS\IEAC32.EXE
C:\WINDOWS\SYSTEM\IPMT.EXE
C:\WINDOWS\APICX.EXE
C:\WINDOWS\SYSTEM\JAVAYH32.EXE
C:\WINDOWS\IPNE32.EXE
C:\WINDOWS\MFCWJ.EXE
C:\WINDOWS\SYSTEM\JAVASJ.EXE
C:\WINDOWS\WINSY32.EXE
C:\WINDOWS\SYSTEM\MFCUV.EXE
C:\WINDOWS\CRWB32.EXE
C:\WINDOWS\IECR.EXE
C:\WINDOWS\MSFG.EXE
C:\WINDOWS\SDKVZ.EXE
C:\WINDOWS\ATLDU.EXE
C:\WINDOWS\APIAD32.EXE
C:\WINDOWS\MFCYB.EXE
C:\WINDOWS\MSPX32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {AB9DB4E2-75EB-16A7-E1F0-71015153AF1C} - C:\WINDOWS\APPEN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [JAVAYP32.EXE] C:\WINDOWS\SYSTEM\JAVAYP32.EXE
O4 - HKLM\..\RunServices: [NETXS32.EXE] C:\WINDOWS\NETXS32.EXE
O4 - HKLM\..\RunServices: [APPYP32.EXE] C:\WINDOWS\APPYP32.EXE
O4 - HKLM\..\RunServices: [MSHE32.EXE] C:\WINDOWS\MSHE32.EXE
O4 - HKLM\..\RunServices: [SDKID32.EXE] C:\WINDOWS\SYSTEM\SDKID32.EXE
O4 - HKLM\..\RunServices: [MSJA.EXE] C:\WINDOWS\SYSTEM\MSJA.EXE
O4 - HKLM\..\RunServices: [APIOL32.EXE] C:\WINDOWS\SYSTEM\APIOL32.EXE
O4 - HKLM\..\RunServices: [IECN32.EXE] C:\WINDOWS\IECN32.EXE
O4 - HKLM\..\RunServices: [APPCJ32.EXE] C:\WINDOWS\APPCJ32.EXE
O4 - HKLM\..\RunServices: [SYSDL.EXE] C:\WINDOWS\SYSDL.EXE
O4 - HKLM\..\RunServices: [CRKU32.EXE] C:\WINDOWS\CRKU32.EXE
O4 - HKLM\..\RunServices: [APPWC32.EXE] C:\WINDOWS\SYSTEM\APPWC32.EXE
O4 - HKLM\..\RunServices: [NETBB32.EXE] C:\WINDOWS\NETBB32.EXE
O4 - HKLM\..\RunServices: [JAVAIG32.EXE] C:\WINDOWS\SYSTEM\JAVAIG32.EXE
O4 - HKLM\..\RunServices: [D3IF.EXE] C:\WINDOWS\SYSTEM\D3IF.EXE
O4 - HKLM\..\RunServices: [NTEJ.EXE] C:\WINDOWS\SYSTEM\NTEJ.EXE
O4 - HKLM\..\RunServices: [D3YM.EXE] C:\WINDOWS\SYSTEM\D3YM.EXE
O4 - HKLM\..\RunServices: [WINJC32.EXE] C:\WINDOWS\SYSTEM\WINJC32.EXE
O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
O4 - HKLM\..\RunServices: [APIOK.EXE] C:\WINDOWS\APIOK.EXE
O4 - HKLM\..\RunServices: [D3YQ.EXE] C:\WINDOWS\D3YQ.EXE
O4 - HKLM\..\RunServices: [SYSDD32.EXE] C:\WINDOWS\SYSDD32.EXE
O4 - HKLM\..\RunServices: [D3SK32.EXE] C:\WINDOWS\D3SK32.EXE
O4 - HKLM\..\RunServices: [IEKH32.EXE] C:\WINDOWS\IEKH32.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [MFCNH32.EXE] C:\WINDOWS\MFCNH32.EXE
O4 - HKLM\..\RunServices: [SYSXZ32.EXE] C:\WINDOWS\SYSTEM\SYSXZ32.EXE
O4 - HKLM\..\RunServices: [WINYF.EXE] C:\WINDOWS\WINYF.EXE
O4 - HKLM\..\RunServices: [ATLDK32.EXE] C:\WINDOWS\ATLDK32.EXE
O4 - HKLM\..\RunServices: [JAVAMK32.EXE] C:\WINDOWS\SYSTEM\JAVAMK32.EXE
O4 - HKLM\..\RunServices: [SDKCR32.EXE] C:\WINDOWS\SYSTEM\SDKCR32.EXE
O4 - HKLM\..\RunServices: [JAVAKJ32.EXE] C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
O4 - HKLM\..\RunServices: [NETAY32.EXE] C:\WINDOWS\NETAY32.EXE
O4 - HKLM\..\RunServices: [D3NM32.EXE] C:\WINDOWS\D3NM32.EXE
O4 - HKLM\..\RunServices: [MFCVT.EXE] C:\WINDOWS\MFCVT.EXE
O4 - HKLM\..\RunServices: [MSGY32.EXE] C:\WINDOWS\MSGY32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\ATLFZ.EXE
O4 - HKLM\..\RunServices: [NTNQ.EXE] C:\WINDOWS\NTNQ.EXE
O4 - HKLM\..\RunServices: [IPYN.EXE] C:\WINDOWS\SYSTEM\IPYN.EXE
O4 - HKLM\..\RunServices: [IEUD32.EXE] C:\WINDOWS\IEUD32.EXE
O4 - HKLM\..\RunServices: [SYSKB.EXE] C:\WINDOWS\SYSTEM\SYSKB.EXE
O4 - HKLM\..\RunServices: [NTMX32.EXE] C:\WINDOWS\SYSTEM\NTMX32.EXE
O4 - HKLM\..\RunServices: [MSHQ.EXE] C:\WINDOWS\SYSTEM\MSHQ.EXE
O4 - HKLM\..\RunServices: [IPTZ.EXE] C:\WINDOWS\SYSTEM\IPTZ.EXE
O4 - HKLM\..\RunServices: [CRXD32.EXE] C:\WINDOWS\SYSTEM\CRXD32.EXE
O4 - HKLM\..\RunServices: [MFCBT.EXE] C:\WINDOWS\SYSTEM\MFCBT.EXE
O4 - HKLM\..\RunServices: [NTBA.EXE] C:\WINDOWS\NTBA.EXE
O4 - HKLM\..\RunServices: [APICP.EXE] C:\WINDOWS\APICP.EXE
O4 - HKLM\..\RunServices: [ADDMC32.EXE] C:\WINDOWS\ADDMC32.EXE
O4 - HKLM\..\RunServices: [ATLOP.EXE] C:\WINDOWS\ATLOP.EXE
O4 - HKLM\..\RunServices: [APPWD.EXE] C:\WINDOWS\SYSTEM\APPWD.EXE
O4 - HKLM\..\RunServices: [IEKJ.EXE] C:\WINDOWS\SYSTEM\IEKJ.EXE
O4 - HKLM\..\RunServices: [MFCKM.EXE] C:\WINDOWS\SYSTEM\MFCKM.EXE
O4 - HKLM\..\RunServices: [NTRH32.EXE] C:\WINDOWS\SYSTEM\NTRH32.EXE
O4 - HKLM\..\RunServices: [CRKQ.EXE] C:\WINDOWS\CRKQ.EXE
O4 - HKLM\..\RunServices: [MSFM.EXE] C:\WINDOWS\SYSTEM\MSFM.EXE
O4 - HKLM\..\RunServices: [D3BA.EXE] C:\WINDOWS\SYSTEM\D3BA.EXE
O4 - HKLM\..\RunServices: [ADDPO32.EXE] C:\WINDOWS\ADDPO32.EXE
O4 - HKLM\..\RunServices: [WINOD.EXE] C:\WINDOWS\SYSTEM\WINOD.EXE
O4 - HKLM\..\RunServices: [D3QG.EXE] C:\WINDOWS\D3QG.EXE
O4 - HKLM\..\RunServices: [ADDAY.EXE] C:\WINDOWS\ADDAY.EXE
O4 - HKLM\..\RunServices: [SYSFY.EXE] C:\WINDOWS\SYSTEM\SYSFY.EXE
O4 - HKLM\..\RunServices: [NETPC.EXE] C:\WINDOWS\NETPC.EXE
O4 - HKLM\..\RunServices: [MSND32.EXE] C:\WINDOWS\SYSTEM\MSND32.EXE
O4 - HKLM\..\RunServices: [JAVAAT32.EXE] C:\WINDOWS\SYSTEM\JAVAAT32.EXE
O4 - HKLM\..\RunServices: [D3SA32.EXE] C:\WINDOWS\D3SA32.EXE
O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\SYSTEM\ADDYW.EXE
O4 - HKLM\..\RunServices: [ATLQZ32.EXE] C:\WINDOWS\ATLQZ32.EXE
O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE
O4 - HKLM\..\RunServices: [JAVAVS32.EXE] C:\WINDOWS\JAVAVS32.EXE
O4 - HKLM\..\RunServices: [IPPT32.EXE] C:\WINDOWS\IPPT32.EXE
O4 - HKLM\..\RunServices: [D3XI.EXE] C:\WINDOWS\D3XI.EXE
O4 - HKLM\..\RunServices: [APIKY32.EXE] C:\WINDOWS\APIKY32.EXE
O4 - HKLM\..\RunServices: [ADDHA.EXE] C:\WINDOWS\ADDHA.EXE
O4 - HKLM\..\RunServices: [MFCVG32.EXE] C:\WINDOWS\MFCVG32.EXE
O4 - HKLM\..\RunServices: [MFCQM32.EXE] C:\WINDOWS\MFCQM32.EXE
O4 - HKLM\..\RunServices: [JAVAYJ32.EXE] C:\WINDOWS\JAVAYJ32.EXE
O4 - HKLM\..\RunServices: [APIRZ.EXE] C:\WINDOWS\SYSTEM\APIRZ.EXE
O4 - HKLM\..\RunServices: [NTEM.EXE] C:\WINDOWS\SYSTEM\NTEM.EXE
O4 - HKLM\..\RunServices: [NETYM.EXE] C:\WINDOWS\SYSTEM\NETYM.EXE
O4 - HKLM\..\RunServices: [APPXX32.EXE] C:\WINDOWS\APPXX32.EXE
O4 - HKLM\..\RunServices: [SYSNV32.EXE] C:\WINDOWS\SYSNV32.EXE
O4 - HKLM\..\RunServices: [MSHB32.EXE] C:\WINDOWS\MSHB32.EXE
O4 - HKLM\..\RunServices: [SDKGO32.EXE] C:\WINDOWS\SYSTEM\SDKGO32.EXE
O4 - HKLM\..\RunServices: [NETCQ32.EXE] C:\WINDOWS\SYSTEM\NETCQ32.EXE
O4 - HKLM\..\RunServices: [SYSUY32.EXE] C:\WINDOWS\SYSUY32.EXE
O4 - HKLM\..\RunServices: [JAVAJS32.EXE] C:\WINDOWS\SYSTEM\JAVAJS32.EXE
O4 - HKLM\..\RunServices: [IEDR32.EXE] C:\WINDOWS\IEDR32.EXE
O4 - HKLM\..\RunServices: [JAVAPT.EXE] C:\WINDOWS\SYSTEM\JAVAPT.EXE
O4 - HKLM\..\RunServices: [SYSAS32.EXE] C:\WINDOWS\SYSAS32.EXE
O4 - HKLM\..\RunServices: [SYSMN.EXE] C:\WINDOWS\SYSTEM\SYSMN.EXE
O4 - HKLM\..\RunServices: [ATLTM.EXE] C:\WINDOWS\ATLTM.EXE
O4 - HKLM\..\RunServices: [MSSC.EXE] C:\WINDOWS\SYSTEM\MSSC.EXE
O4 - HKLM\..\RunServices: [IEUE.EXE] C:\WINDOWS\IEUE.EXE
O4 - HKLM\..\RunServices: [IPRK32.EXE] C:\WINDOWS\SYSTEM\IPRK32.EXE
O4 - HKLM\..\RunServices: [NETEX32.EXE] C:\WINDOWS\NETEX32.EXE
O4 - HKLM\..\RunServices: [APIWG.EXE] C:\WINDOWS\APIWG.EXE
O4 - HKLM\..\RunServices: [SYSPA32.EXE] C:\WINDOWS\SYSTEM\SYSPA32.EXE
O4 - HKLM\..\RunServices: [APPOM32.EXE] C:\WINDOWS\APPOM32.EXE
O4 - HKLM\..\RunServices: [MSFB.EXE] C:\WINDOWS\MSFB.EXE
O4 - HKLM\..\RunServices: [NETZL.EXE] C:\WINDOWS\NETZL.EXE
O4 - HKLM\..\RunServices: [MSSB32.EXE] C:\WINDOWS\SYSTEM\MSSB32.EXE
O4 - HKLM\..\RunServices: [SDKPV32.EXE] C:\WINDOWS\SDKPV32.EXE
O4 - HKLM\..\RunServices: [IPLZ.EXE] C:\WINDOWS\SYSTEM\IPLZ.EXE
O4 - HKLM\..\RunServices: [IEAC32.EXE] C:\WINDOWS\IEAC32.EXE
O4 - HKLM\..\RunServices: [IPMT.EXE] C:\WINDOWS\SYSTEM\IPMT.EXE
O4 - HKLM\..\RunServices: [APICX.EXE] C:\WINDOWS\APICX.EXE
O4 - HKLM\..\RunServices: [JAVAYH32.EXE] C:\WINDOWS\SYSTEM\JAVAYH32.EXE
O4 - HKLM\..\RunServices: [IPNE32.EXE] C:\WINDOWS\IPNE32.EXE
O4 - HKLM\..\RunServices: [MFCWJ.EXE] C:\WINDOWS\MFCWJ.EXE
O4 - HKLM\..\RunServices: [WINSY32.EXE] C:\WINDOWS\WINSY32.EXE
O4 - HKLM\..\RunServices: [JAVASJ.EXE] C:\WINDOWS\SYSTEM\JAVASJ.EXE
O4 - HKLM\..\RunServices: [MFCUV.EXE] C:\WINDOWS\SYSTEM\MFCUV.EXE
O4 - HKLM\..\RunServices: [CRWB32.EXE] C:\WINDOWS\CRWB32.EXE
O4 - HKLM\..\RunServices: [IECR.EXE] C:\WINDOWS\IECR.EXE
O4 - HKLM\..\RunServices: [MSFG.EXE] C:\WINDOWS\MSFG.EXE
O4 - HKLM\..\RunServices: [SDKVZ.EXE] C:\WINDOWS\SDKVZ.EXE
O4 - HKLM\..\RunServices: [MFCYB.EXE] C:\WINDOWS\MFCYB.EXE
O4 - HKLM\..\RunServices: [APIAD32.EXE] C:\WINDOWS\APIAD32.EXE
O4 - HKLM\..\RunServices: [ATLDU.EXE] C:\WINDOWS\ATLDU.EXE
O4 - HKLM\..\RunServices: [MSPX32.EXE] C:\WINDOWS\MSPX32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2

This is the hijackthis log I got in safe mode before I ran Spybot and before rebooting into normal mode. By this I mean the HJT log above comes after this one

Logfile of HijackThis v1.98.2
Scan saved at 23:55:15, on 26/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {3D1230B7-697D-58C5-27D9-0B4D4B7DCC48} - C:\WINDOWS\SYSTEM\NTSB32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [JAVAYP32.EXE] C:\WINDOWS\SYSTEM\JAVAYP32.EXE
O4 - HKLM\..\RunServices: [NETXS32.EXE] C:\WINDOWS\NETXS32.EXE
O4 - HKLM\..\RunServices: [APPYP32.EXE] C:\WINDOWS\APPYP32.EXE
O4 - HKLM\..\RunServices: [MSHE32.EXE] C:\WINDOWS\MSHE32.EXE
O4 - HKLM\..\RunServices: [SDKID32.EXE] C:\WINDOWS\SYSTEM\SDKID32.EXE
O4 - HKLM\..\RunServices: [MSJA.EXE] C:\WINDOWS\SYSTEM\MSJA.EXE
O4 - HKLM\..\RunServices: [APIOL32.EXE] C:\WINDOWS\SYSTEM\APIOL32.EXE
O4 - HKLM\..\RunServices: [IECN32.EXE] C:\WINDOWS\IECN32.EXE
O4 - HKLM\..\RunServices: [APPCJ32.EXE] C:\WINDOWS\APPCJ32.EXE
O4 - HKLM\..\RunServices: [SYSDL.EXE] C:\WINDOWS\SYSDL.EXE
O4 - HKLM\..\RunServices: [CRKU32.EXE] C:\WINDOWS\CRKU32.EXE
O4 - HKLM\..\RunServices: [APPWC32.EXE] C:\WINDOWS\SYSTEM\APPWC32.EXE
O4 - HKLM\..\RunServices: [NETBB32.EXE] C:\WINDOWS\NETBB32.EXE
O4 - HKLM\..\RunServices: [JAVAIG32.EXE] C:\WINDOWS\SYSTEM\JAVAIG32.EXE
O4 - HKLM\..\RunServices: [D3IF.EXE] C:\WINDOWS\SYSTEM\D3IF.EXE
O4 - HKLM\..\RunServices: [NTEJ.EXE] C:\WINDOWS\SYSTEM\NTEJ.EXE
O4 - HKLM\..\RunServices: [D3YM.EXE] C:\WINDOWS\SYSTEM\D3YM.EXE
O4 - HKLM\..\RunServices: [WINJC32.EXE] C:\WINDOWS\SYSTEM\WINJC32.EXE
O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
O4 - HKLM\..\RunServices: [APIOK.EXE] C:\WINDOWS\APIOK.EXE
O4 - HKLM\..\RunServices: [D3YQ.EXE] C:\WINDOWS\D3YQ.EXE
O4 - HKLM\..\RunServices: [SYSDD32.EXE] C:\WINDOWS\SYSDD32.EXE
O4 - HKLM\..\RunServices: [D3SK32.EXE] C:\WINDOWS\D3SK32.EXE
O4 - HKLM\..\RunServices: [IEKH32.EXE] C:\WINDOWS\IEKH32.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [MFCNH32.EXE] C:\WINDOWS\MFCNH32.EXE
O4 - HKLM\..\RunServices: [SYSXZ32.EXE] C:\WINDOWS\SYSTEM\SYSXZ32.EXE
O4 - HKLM\..\RunServices: [WINYF.EXE] C:\WINDOWS\WINYF.EXE
O4 - HKLM\..\RunServices: [ATLDK32.EXE] C:\WINDOWS\ATLDK32.EXE
O4 - HKLM\..\RunServices: [JAVAMK32.EXE] C:\WINDOWS\SYSTEM\JAVAMK32.EXE
O4 - HKLM\..\RunServices: [SDKCR32.EXE] C:\WINDOWS\SYSTEM\SDKCR32.EXE
O4 - HKLM\..\RunServices: [JAVAKJ32.EXE] C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
O4 - HKLM\..\RunServices: [NETAY32.EXE] C:\WINDOWS\NETAY32.EXE
O4 - HKLM\..\RunServices: [D3NM32.EXE] C:\WINDOWS\D3NM32.EXE
O4 - HKLM\..\RunServices: [MFCVT.EXE] C:\WINDOWS\MFCVT.EXE
O4 - HKLM\..\RunServices: [MSGY32.EXE] C:\WINDOWS\MSGY32.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\ATLFZ.EXE
O4 - HKLM\..\RunServices: [NTNQ.EXE] C:\WINDOWS\NTNQ.EXE
O4 - HKLM\..\RunServices: [IPYN.EXE] C:\WINDOWS\SYSTEM\IPYN.EXE
O4 - HKLM\..\RunServices: [IEUD32.EXE] C:\WINDOWS\IEUD32.EXE
O4 - HKLM\..\RunServices: [SYSKB.EXE] C:\WINDOWS\SYSTEM\SYSKB.EXE
O4 - HKLM\..\RunServices: [NTMX32.EXE] C:\WINDOWS\SYSTEM\NTMX32.EXE
O4 - HKLM\..\RunServices: [MSHQ.EXE] C:\WINDOWS\SYSTEM\MSHQ.EXE
O4 - HKLM\..\RunServices: [IPTZ.EXE] C:\WINDOWS\SYSTEM\IPTZ.EXE
O4 - HKLM\..\RunServices: [CRXD32.EXE] C:\WINDOWS\SYSTEM\CRXD32.EXE
O4 - HKLM\..\RunServices: [MFCBT.EXE] C:\WINDOWS\SYSTEM\MFCBT.EXE
O4 - HKLM\..\RunServices: [NTBA.EXE] C:\WINDOWS\NTBA.EXE
O4 - HKLM\..\RunServices: [APICP.EXE] C:\WINDOWS\APICP.EXE
O4 - HKLM\..\RunServices: [ADDMC32.EXE] C:\WINDOWS\ADDMC32.EXE
O4 - HKLM\..\RunServices: [ATLOP.EXE] C:\WINDOWS\ATLOP.EXE
O4 - HKLM\..\RunServices: [APPWD.EXE] C:\WINDOWS\SYSTEM\APPWD.EXE
O4 - HKLM\..\RunServices: [IEKJ.EXE] C:\WINDOWS\SYSTEM\IEKJ.EXE
O4 - HKLM\..\RunServices: [MFCKM.EXE] C:\WINDOWS\SYSTEM\MFCKM.EXE
O4 - HKLM\..\RunServices: [NTRH32.EXE] C:\WINDOWS\SYSTEM\NTRH32.EXE
O4 - HKLM\..\RunServices: [CRKQ.EXE] C:\WINDOWS\CRKQ.EXE
O4 - HKLM\..\RunServices: [MSFM.EXE] C:\WINDOWS\SYSTEM\MSFM.EXE
O4 - HKLM\..\RunServices: [D3BA.EXE] C:\WINDOWS\SYSTEM\D3BA.EXE
O4 - HKLM\..\RunServices: [ADDPO32.EXE] C:\WINDOWS\ADDPO32.EXE
O4 - HKLM\..\RunServices: [WINOD.EXE] C:\WINDOWS\SYSTEM\WINOD.EXE
O4 - HKLM\..\RunServices: [D3QG.EXE] C:\WINDOWS\D3QG.EXE
O4 - HKLM\..\RunServices: [ADDAY.EXE] C:\WINDOWS\ADDAY.EXE
O4 - HKLM\..\RunServices: [SYSFY.EXE] C:\WINDOWS\SYSTEM\SYSFY.EXE
O4 - HKLM\..\RunServices: [NETPC.EXE] C:\WINDOWS\NETPC.EXE
O4 - HKLM\..\RunServices: [MSND32.EXE] C:\WINDOWS\SYSTEM\MSND32.EXE
O4 - HKLM\..\RunServices: [JAVAAT32.EXE] C:\WINDOWS\SYSTEM\JAVAAT32.EXE
O4 - HKLM\..\RunServices: [D3SA32.EXE] C:\WINDOWS\D3SA32.EXE
O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\SYSTEM\ADDYW.EXE
O4 - HKLM\..\RunServices: [ATLQZ32.EXE] C:\WINDOWS\ATLQZ32.EXE
O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE
O4 - HKLM\..\RunServices: [JAVAVS32.EXE] C:\WINDOWS\JAVAVS32.EXE
O4 - HKLM\..\RunServices: [IPPT32.EXE] C:\WINDOWS\IPPT32.EXE
O4 - HKLM\..\RunServices: [D3XI.EXE] C:\WINDOWS\D3XI.EXE
O4 - HKLM\..\RunServices: [APIKY32.EXE] C:\WINDOWS\APIKY32.EXE
O4 - HKLM\..\RunServices: [ADDHA.EXE] C:\WINDOWS\ADDHA.EXE
O4 - HKLM\..\RunServices: [MFCVG32.EXE] C:\WINDOWS\MFCVG32.EXE
O4 - HKLM\..\RunServices: [MFCQM32.EXE] C:\WINDOWS\MFCQM32.EXE
O4 - HKLM\..\RunServices: [JAVAYJ32.EXE] C:\WINDOWS\JAVAYJ32.EXE
O4 - HKLM\..\RunServices: [APIRZ.EXE] C:\WINDOWS\SYSTEM\APIRZ.EXE
O4 - HKLM\..\RunServices: [NTEM.EXE] C:\WINDOWS\SYSTEM\NTEM.EXE
O4 - HKLM\..\RunServices: [NETYM.EXE] C:\WINDOWS\SYSTEM\NETYM.EXE
O4 - HKLM\..\RunServices: [APPXX32.EXE] C:\WINDOWS\APPXX32.EXE
O4 - HKLM\..\RunServices: [SYSNV32.EXE] C:\WINDOWS\SYSNV32.EXE
O4 - HKLM\..\RunServices: [MSHB32.EXE] C:\WINDOWS\MSHB32.EXE
O4 - HKLM\..\RunServices: [SDKGO32.EXE] C:\WINDOWS\SYSTEM\SDKGO32.EXE
O4 - HKLM\..\RunServices: [NETCQ32.EXE] C:\WINDOWS\SYSTEM\NETCQ32.EXE
O4 - HKLM\..\RunServices: [SYSUY32.EXE] C:\WINDOWS\SYSUY32.EXE
O4 - HKLM\..\RunServices: [JAVAJS32.EXE] C:\WINDOWS\SYSTEM\JAVAJS32.EXE
O4 - HKLM\..\RunServices: [IEDR32.EXE] C:\WINDOWS\IEDR32.EXE
O4 - HKLM\..\RunServices: [JAVAPT.EXE] C:\WINDOWS\SYSTEM\JAVAPT.EXE
O4 - HKLM\..\RunServices: [SYSAS32.EXE] C:\WINDOWS\SYSAS32.EXE
O4 - HKLM\..\RunServices: [SYSMN.EXE] C:\WINDOWS\SYSTEM\SYSMN.EXE
O4 - HKLM\..\RunServices: [ATLTM.EXE] C:\WINDOWS\ATLTM.EXE
O4 - HKLM\..\RunServices: [MSSC.EXE] C:\WINDOWS\SYSTEM\MSSC.EXE
O4 - HKLM\..\RunServices: [IEUE.EXE] C:\WINDOWS\IEUE.EXE
O4 - HKLM\..\RunServices: [IPRK32.EXE] C:\WINDOWS\SYSTEM\IPRK32.EXE
O4 - HKLM\..\RunServices: [NETEX32.EXE] C:\WINDOWS\NETEX32.EXE
O4 - HKLM\..\RunServices: [APIWG.EXE] C:\WINDOWS\APIWG.EXE
O4 - HKLM\..\RunServices: [SYSPA32.EXE] C:\WINDOWS\SYSTEM\SYSPA32.EXE
O4 - HKLM\..\RunServices: [APPOM32.EXE] C:\WINDOWS\APPOM32.EXE
O4 - HKLM\..\RunServices: [MSFB.EXE] C:\WINDOWS\MSFB.EXE
O4 - HKLM\..\RunServices: [NETZL.EXE] C:\WINDOWS\NETZL.EXE
O4 - HKLM\..\RunServices: [MSSB32.EXE] C:\WINDOWS\SYSTEM\MSSB32.EXE
O4 - HKLM\..\RunServices: [SDKPV32.EXE] C:\WINDOWS\SDKPV32.EXE
O4 - HKLM\..\RunServices: [IPLZ.EXE] C:\WINDOWS\SYSTEM\IPLZ.EXE
O4 - HKLM\..\RunServices: [IEAC32.EXE] C:\WINDOWS\IEAC32.EXE
O4 - HKLM\..\RunServices: [IPMT.EXE] C:\WINDOWS\SYSTEM\IPMT.EXE
O4 - HKLM\..\RunServices: [APICX.EXE] C:\WINDOWS\APICX.EXE
O4 - HKLM\..\RunServices: [JAVAYH32.EXE] C:\WINDOWS\SYSTEM\JAVAYH32.EXE
O4 - HKLM\..\RunServices: [IPNE32.EXE] C:\WINDOWS\IPNE32.EXE
O4 - HKLM\..\RunServices: [MFCWJ.EXE] C:\WINDOWS\MFCWJ.EXE
O4 - HKLM\..\RunServices: [WINSY32.EXE] C:\WINDOWS\WINSY32.EXE
O4 - HKLM\..\RunServices: [JAVASJ.EXE] C:\WINDOWS\SYSTEM\JAVASJ.EXE
O4 - HKLM\..\RunServices: [MFCUV.EXE] C:\WINDOWS\SYSTEM\MFCUV.EXE
O4 - HKLM\..\RunServices: [CRWB32.EXE] C:\WINDOWS\CRWB32.EXE
O4 - HKLM\..\RunServices: [IECR.EXE] C:\WINDOWS\IECR.EXE
O4 - HKLM\..\RunServices: [MSFG.EXE] C:\WINDOWS\MSFG.EXE
O4 - HKLM\..\RunServices: [SDKVZ.EXE] C:\WINDOWS\SDKVZ.EXE
O4 - HKLM\..\RunServices: [MFCYB.EXE] C:\WINDOWS\MFCYB.EXE
O4 - HKLM\..\RunServices: [APIAD32.EXE] C:\WINDOWS\APIAD32.EXE
O4 - HKLM\..\RunServices: [ATLDU.EXE] C:\WINDOWS\ATLDU.EXE
O4 - HKLM\..\RunServices: [MSPX32.EXE] C:\WINDOWS\MSPX32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 29 November 2004 - 07:22 PM

I was hoping that the AboutBuster or peper remover might sorta chip away at the volume of files some disaster. CWshredder targets some, too. The Ad-Aware gets several Spybot doesn't often enough, as well. We can do this, though:

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

O4 - HKLM\..\RunServices: [ADDAY.EXE] C:\WINDOWS\ADDAY.EXE
O4 - HKLM\..\RunServices: [ADDHA.EXE] C:\WINDOWS\ADDHA.EXE
O4 - HKLM\..\RunServices: [ADDMC32.EXE] C:\WINDOWS\ADDMC32.EXE
O4 - HKLM\..\RunServices: [ADDPO32.EXE] C:\WINDOWS\ADDPO32.EXE
O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\SYSTEM\ADDYW.EXE
O4 - HKLM\..\RunServices: [APIAD32.EXE] C:\WINDOWS\APIAD32.EXE
O4 - HKLM\..\RunServices: [APICP.EXE] C:\WINDOWS\APICP.EXE
O4 - HKLM\..\RunServices: [APICX.EXE] C:\WINDOWS\APICX.EXE
O4 - HKLM\..\RunServices: [APIKY32.EXE] C:\WINDOWS\APIKY32.EXE
O4 - HKLM\..\RunServices: [APIOK.EXE] C:\WINDOWS\APIOK.EXE
O4 - HKLM\..\RunServices: [APIOL32.EXE] C:\WINDOWS\SYSTEM\APIOL32.EXE
O4 - HKLM\..\RunServices: [APIRZ.EXE] C:\WINDOWS\SYSTEM\APIRZ.EXE
O4 - HKLM\..\RunServices: [APIWG.EXE] C:\WINDOWS\APIWG.EXE
O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE
O4 - HKLM\..\RunServices: [APPCJ32.EXE] C:\WINDOWS\APPCJ32.EXE
O4 - HKLM\..\RunServices: [APPOM32.EXE] C:\WINDOWS\APPOM32.EXE
O4 - HKLM\..\RunServices: [APPWC32.EXE] C:\WINDOWS\SYSTEM\APPWC32.EXE
O4 - HKLM\..\RunServices: [APPWD.EXE] C:\WINDOWS\SYSTEM\APPWD.EXE
O4 - HKLM\..\RunServices: [APPXX32.EXE] C:\WINDOWS\APPXX32.EXE
O4 - HKLM\..\RunServices: [APPYP32.EXE] C:\WINDOWS\APPYP32.EXE
O4 - HKLM\..\RunServices: [ATLDK32.EXE] C:\WINDOWS\ATLDK32.EXE
O4 - HKLM\..\RunServices: [ATLDU.EXE] C:\WINDOWS\ATLDU.EXE
O4 - HKLM\..\RunServices: [ATLFZ.EXE] C:\WINDOWS\ATLFZ.EXE
O4 - HKLM\..\RunServices: [ATLOP.EXE] C:\WINDOWS\ATLOP.EXE
O4 - HKLM\..\RunServices: [ATLQZ32.EXE] C:\WINDOWS\ATLQZ32.EXE
O4 - HKLM\..\RunServices: [ATLTM.EXE] C:\WINDOWS\ATLTM.EXE
O4 - HKLM\..\RunServices: [CRGM.EXE] C:\WINDOWS\CRGM.EXE
O4 - HKLM\..\RunServices: [CRKQ.EXE] C:\WINDOWS\CRKQ.EXE
O4 - HKLM\..\RunServices: [CRKU32.EXE] C:\WINDOWS\CRKU32.EXE
O4 - HKLM\..\RunServices: [CRWB32.EXE] C:\WINDOWS\CRWB32.EXE
O4 - HKLM\..\RunServices: [CRXD32.EXE] C:\WINDOWS\SYSTEM\CRXD32.EXE
O4 - HKLM\..\RunServices: [D3BA.EXE] C:\WINDOWS\SYSTEM\D3BA.EXE
O4 - HKLM\..\RunServices: [D3IF.EXE] C:\WINDOWS\SYSTEM\D3IF.EXE
O4 - HKLM\..\RunServices: [D3NM32.EXE] C:\WINDOWS\D3NM32.EXE
O4 - HKLM\..\RunServices: [D3QG.EXE] C:\WINDOWS\D3QG.EXE
O4 - HKLM\..\RunServices: [D3SA32.EXE] C:\WINDOWS\D3SA32.EXE
O4 - HKLM\..\RunServices: [D3SK32.EXE] C:\WINDOWS\D3SK32.EXE
O4 - HKLM\..\RunServices: [D3XI.EXE] C:\WINDOWS\D3XI.EXE
O4 - HKLM\..\RunServices: [D3YM.EXE] C:\WINDOWS\SYSTEM\D3YM.EXE
O4 - HKLM\..\RunServices: [D3YQ.EXE] C:\WINDOWS\D3YQ.EXE
O4 - HKLM\..\RunServices: [IEAC32.EXE] C:\WINDOWS\IEAC32.EXE
O4 - HKLM\..\RunServices: [IECN32.EXE] C:\WINDOWS\IECN32.EXE
O4 - HKLM\..\RunServices: [IECR.EXE] C:\WINDOWS\IECR.EXE
O4 - HKLM\..\RunServices: [IEDR32.EXE] C:\WINDOWS\IEDR32.EXE
O4 - HKLM\..\RunServices: [IEKH32.EXE] C:\WINDOWS\IEKH32.EXE
O4 - HKLM\..\RunServices: [IEKJ.EXE] C:\WINDOWS\SYSTEM\IEKJ.EXE
O4 - HKLM\..\RunServices: [IEUD32.EXE] C:\WINDOWS\IEUD32.EXE
O4 - HKLM\..\RunServices: [IEUE.EXE] C:\WINDOWS\IEUE.EXE
O4 - HKLM\..\RunServices: [IPLZ.EXE] C:\WINDOWS\SYSTEM\IPLZ.EXE
O4 - HKLM\..\RunServices: [IPMT.EXE] C:\WINDOWS\SYSTEM\IPMT.EXE
O4 - HKLM\..\RunServices: [IPNE32.EXE] C:\WINDOWS\IPNE32.EXE
O4 - HKLM\..\RunServices: [IPPT32.EXE] C:\WINDOWS\IPPT32.EXE
O4 - HKLM\..\RunServices: [IPRK32.EXE] C:\WINDOWS\SYSTEM\IPRK32.EXE
O4 - HKLM\..\RunServices: [IPTZ.EXE] C:\WINDOWS\SYSTEM\IPTZ.EXE
O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
O4 - HKLM\..\RunServices: [IPYN.EXE] C:\WINDOWS\SYSTEM\IPYN.EXE
O4 - HKLM\..\RunServices: [JAVAIG32.EXE] C:\WINDOWS\SYSTEM\JAVAIG32.EXE
O4 - HKLM\..\RunServices: [JAVAYP32.EXE] C:\WINDOWS\SYSTEM\JAVAYP32.EXE
O4 - HKLM\..\RunServices: [JAVASJ.EXE] C:\WINDOWS\SYSTEM\JAVASJ.EXE
O4 - HKLM\..\RunServices: [JAVAVS32.EXE] C:\WINDOWS\JAVAVS32.EXE

O4 - HKLM\..\RunServices: [MFCNH32.EXE] C:\WINDOWS\MFCNH32.EXE
O4 - HKLM\..\RunServices: [MFCQM32.EXE] C:\WINDOWS\MFCQM32.EXE

O4 - HKLM\..\RunServices: [MFCVG32.EXE] C:\WINDOWS\MFCVG32.EXE
O4 - HKLM\..\RunServices: [MFCVT.EXE] C:\WINDOWS\MFCVT.EXE
O4 - HKLM\..\RunServices: [MFCWJ.EXE] C:\WINDOWS\MFCWJ.EXE

O4 - HKLM\..\RunServices: [MSFB.EXE] C:\WINDOWS\MSFB.EXE
O4 - HKLM\..\RunServices: [MSFG.EXE] C:\WINDOWS\MSFG.EXE
O4 - HKLM\..\RunServices: [MSFM.EXE] C:\WINDOWS\SYSTEM\MSFM.EXE
O4 - HKLM\..\RunServices: [MSGY32.EXE] C:\WINDOWS\MSGY32.EXE
O4 - HKLM\..\RunServices: [MSHB32.EXE] C:\WINDOWS\MSHB32.EXE
O4 - HKLM\..\RunServices: [MSHE32.EXE] C:\WINDOWS\MSHE32.EXE
O4 - HKLM\..\RunServices: [MSHQ.EXE] C:\WINDOWS\SYSTEM\MSHQ.EXE
O4 - HKLM\..\RunServices: [MSJA.EXE] C:\WINDOWS\SYSTEM\MSJA.EXE
O4 - HKLM\..\RunServices: [MSND32.EXE] C:\WINDOWS\SYSTEM\MSND32.EXE
O4 - HKLM\..\RunServices: [MSPX32.EXE] C:\WINDOWS\MSPX32.EXE
O4 - HKLM\..\RunServices: [MSSB32.EXE] C:\WINDOWS\SYSTEM\MSSB32.EXE
O4 - HKLM\..\RunServices: [MSSC.EXE] C:\WINDOWS\SYSTEM\MSSC.EXE
O4 - HKLM\..\RunServices: [NETAY32.EXE] C:\WINDOWS\NETAY32.EXE
O4 - HKLM\..\RunServices: [NETBB32.EXE] C:\WINDOWS\NETBB32.EXE

O4 - HKLM\..\RunServices: [NETEX32.EXE] C:\WINDOWS\NETEX32.EXE
O4 - HKLM\..\RunServices: [NETPC.EXE] C:\WINDOWS\NETPC.EXE
O4 - HKLM\..\RunServices: [NETXS32.EXE] C:\WINDOWS\NETXS32.EXE

O4 - HKLM\..\RunServices: [NETZL.EXE] C:\WINDOWS\NETZL.EXE
O4 - HKLM\..\RunServices: [NTBA.EXE] C:\WINDOWS\NTBA.EXE
O4 - HKLM\..\RunServices: [NTNQ.EXE] C:\WINDOWS\NTNQ.EXE
O4 - HKLM\..\RunServices: [SDKPV32.EXE] C:\WINDOWS\SDKPV32.EXE
O4 - HKLM\..\RunServices: [SDKVZ.EXE] C:\WINDOWS\SDKVZ.EXE
O4 - HKLM\..\RunServices: [SYSAS32.EXE] C:\WINDOWS\SYSAS32.EXE
O4 - HKLM\..\RunServices: [SYSDD32.EXE] C:\WINDOWS\SYSDD32.EXE
O4 - HKLM\..\RunServices: [SYSDL.EXE] C:\WINDOWS\SYSDL.EXE
O4 - HKLM\..\RunServices: [SYSNV32.EXE] C:\WINDOWS\SYSNV32.EXE
O4 - HKLM\..\RunServices: [ADDYW.EXE] C:\WINDOWS\SYSTEM\ADDYW.EXE
O4 - HKLM\..\RunServices: [APIOL32.EXE] C:\WINDOWS\SYSTEM\APIOL32.EXE
O4 - HKLM\..\RunServices: [APIRZ.EXE] C:\WINDOWS\SYSTEM\APIRZ.EXE
O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE
O4 - HKLM\..\RunServices: [APPWC32.EXE] C:\WINDOWS\SYSTEM\APPWC32.EXE
O4 - HKLM\..\RunServices: [APPWD.EXE] C:\WINDOWS\SYSTEM\APPWD.EXE
O4 - HKLM\..\RunServices: [CRXD32.EXE] C:\WINDOWS\SYSTEM\CRXD32.EXE
O4 - HKLM\..\RunServices: [D3BA.EXE] C:\WINDOWS\SYSTEM\D3BA.EXE
O4 - HKLM\..\RunServices: [D3IF.EXE] C:\WINDOWS\SYSTEM\D3IF.EXE
O4 - HKLM\..\RunServices: [D3YM.EXE] C:\WINDOWS\SYSTEM\D3YM.EXE
O4 - HKLM\..\RunServices: [IEKJ.EXE] C:\WINDOWS\SYSTEM\IEKJ.EXE
O4 - HKLM\..\RunServices: [IPLZ.EXE] C:\WINDOWS\SYSTEM\IPLZ.EXE
O4 - HKLM\..\RunServices: [IPMT.EXE] C:\WINDOWS\SYSTEM\IPMT.EXE
O4 - HKLM\..\RunServices: [IPRK32.EXE] C:\WINDOWS\SYSTEM\IPRK32.EXE
O4 - HKLM\..\RunServices: [IPTZ.EXE] C:\WINDOWS\SYSTEM\IPTZ.EXE
O4 - HKLM\..\RunServices: [IPXR.EXE] C:\WINDOWS\SYSTEM\IPXR.EXE
O4 - HKLM\..\RunServices: [IPYN.EXE] C:\WINDOWS\SYSTEM\IPYN.EXE
O4 - HKLM\..\RunServices: [JAVAAT32.EXE] C:\WINDOWS\SYSTEM\JAVAAT32.EXE

O4 - HKLM\..\RunServices: [JAVAJS32.EXE] C:\WINDOWS\SYSTEM\JAVAJS32.EXE
O4 - HKLM\..\RunServices: [JAVAKJ32.EXE] C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
O4 - HKLM\..\RunServices: [JAVAMK32.EXE] C:\WINDOWS\SYSTEM\JAVAMK32.EXE
O4 - HKLM\..\RunServices: [JAVAPT.EXE] C:\WINDOWS\SYSTEM\JAVAPT.EXE

O4 - HKLM\..\RunServices: [JAVAYH32.EXE] C:\WINDOWS\SYSTEM\JAVAYH32.EXE

O4 - HKLM\..\RunServices: [JAVAYJ32.EXE] C:\WINDOWS\JAVAYJ32.EXE

O4 - HKLM\..\RunServices: [MFCBT.EXE] C:\WINDOWS\SYSTEM\MFCBT.EXE
O4 - HKLM\..\RunServices: [MFCKM.EXE] C:\WINDOWS\SYSTEM\MFCKM.EXE
O4 - HKLM\..\RunServices: [MSFB.EXE] C:\WINDOWS\MSFB.EXE
O4 - HKLM\..\RunServices: [MSFG.EXE] C:\WINDOWS\MSFG.EXE
O4 - HKLM\..\RunServices: [MSFM.EXE] C:\WINDOWS\SYSTEM\MSFM.EXE

O4 - HKLM\..\RunServices: [MSHQ.EXE] C:\WINDOWS\SYSTEM\MSHQ.EXE
O4 - HKLM\..\RunServices: [MSJA.EXE] C:\WINDOWS\SYSTEM\MSJA.EXE
O4 - HKLM\..\RunServices: [MSND32.EXE] C:\WINDOWS\SYSTEM\MSND32.EXE
O4 - HKLM\..\RunServices: [MSSB32.EXE] C:\WINDOWS\SYSTEM\MSSB32.EXE
O4 - HKLM\..\RunServices: [MSSC.EXE] C:\WINDOWS\SYSTEM\MSSC.EXE
O4 - HKLM\..\RunServices: [NETCQ32.EXE] C:\WINDOWS\SYSTEM\NETCQ32.EXE
O4 - HKLM\..\RunServices: [NETYM.EXE] C:\WINDOWS\SYSTEM\NETYM.EXE
O4 - HKLM\..\RunServices: [NTEJ.EXE] C:\WINDOWS\SYSTEM\NTEJ.EXE
O4 - HKLM\..\RunServices: [NTEM.EXE] C:\WINDOWS\SYSTEM\NTEM.EXE
O4 - HKLM\..\RunServices: [NTMX32.EXE] C:\WINDOWS\SYSTEM\NTMX32.EXE
O4 - HKLM\..\RunServices: [NTRH32.EXE] C:\WINDOWS\SYSTEM\NTRH32.EXE
O4 - HKLM\..\RunServices: [SDKCR32.EXE] C:\WINDOWS\SYSTEM\SDKCR32.EXE
O4 - HKLM\..\RunServices: [SDKGO32.EXE] C:\WINDOWS\SYSTEM\SDKGO32.EXE
O4 - HKLM\..\RunServices: [SDKID32.EXE] C:\WINDOWS\SYSTEM\SDKID32.EXE
O4 - HKLM\..\RunServices: [SYSFY.EXE] C:\WINDOWS\SYSTEM\SYSFY.EXE
O4 - HKLM\..\RunServices: [SYSKB.EXE] C:\WINDOWS\SYSTEM\SYSKB.EXE
O4 - HKLM\..\RunServices: [SYSMN.EXE] C:\WINDOWS\SYSTEM\SYSMN.EXE
O4 - HKLM\..\RunServices: [SYSPA32.EXE] C:\WINDOWS\SYSTEM\SYSPA32.EXE
O4 - HKLM\..\RunServices: [SYSXZ32.EXE] C:\WINDOWS\SYSTEM\SYSXZ32.EXE
O4 - HKLM\..\RunServices: [WINJC32.EXE] C:\WINDOWS\SYSTEM\WINJC32.EXE
O4 - HKLM\..\RunServices: [WINOD.EXE] C:\WINDOWS\SYSTEM\WINOD.EXE
O4 - HKLM\..\RunServices: [SYSUY32.EXE] C:\WINDOWS\SYSUY32.EXE
O4 - HKLM\..\RunServices: [WINSY32.EXE] C:\WINDOWS\WINSY32.EXE
O4 - HKLM\..\RunServices: [WINYF.EXE] C:\WINDOWS\WINYF.EXE

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT. Instead of doing it all at once, you might choose to do 20 at a time, also. Please refer to the list in this thread of files not to delete also. Better copy this entire thread. Look to the top of the browser window and choose File-->Save Page As: (save box opens) file name: instructions. save as type: Web Page, HTML only. Or copy/paste to a notepad.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\WINDOWS\SYSTEM. We're looking for individual files, unless otherwise noted. The best way to find them is to use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders". In your case navigation to the folders involved, opening them and selecting the bad files-->right click to delete might be the best way to go.
Delete

C:\WINDOWS\ADDAY.EXE
C:\WINDOWS\ADDHA.EXE
C:\WINDOWS\ADDMC32.EXE
C:\WINDOWS\ADDPO32.EXE
C:\WINDOWS\APIAD32.EXE
C:\WINDOWS\APICP.EXE
C:\WINDOWS\APICX.EXE
C:\WINDOWS\APIKY32.EXE
C:\WINDOWS\APIOK.EXE
C:\WINDOWS\APIWG.EXE
C:\WINDOWS\APPCJ32.EXE
C:\WINDOWS\APPOM32.EXE
C:\WINDOWS\APPXX32.EXE
C:\WINDOWS\APPYP32.EXE
C:\WINDOWS\ATLDK32.EXE
C:\WINDOWS\ATLDU.EXE
C:\WINDOWS\ATLFZ.EXE
C:\WINDOWS\ATLOP.EXE
C:\WINDOWS\ATLQZ32.EXE
C:\WINDOWS\ATLTM.EXE

C:\WINDOWS\CRGM.EXE
C:\WINDOWS\CRKQ.EXE
C:\WINDOWS\CRKU32.EXE
C:\WINDOWS\CRWB32.EXE

C:\WINDOWS\D3NM32.EXE
C:\WINDOWS\D3QG.EXE
C:\WINDOWS\D3SA32.EXE
C:\WINDOWS\D3SK32.EXE
C:\WINDOWS\D3XI.EXE
C:\WINDOWS\D3YQ.EXE

C:\WINDOWS\IEAC32.EXE
C:\WINDOWS\IECN32.EXE
C:\WINDOWS\IECR.EXE
C:\WINDOWS\IEDR32.EXE
C:\WINDOWS\IEKH32.EXE
C:\WINDOWS\IEUD32.EXE
C:\WINDOWS\IEUE.EXE
C:\WINDOWS\IPNE32.EXE
C:\WINDOWS\IPPT32.EXE

C:\WINDOWS\JAVAVS32.EXE
C:\WINDOWS\JAVAYJ32.EXE

C:\WINDOWS\MFCNH32.EXE
C:\WINDOWS\MFCQM32.EXE
C:\WINDOWS\MFCVG32.EXE
C:\WINDOWS\MFCVT.EXE
C:\WINDOWS\MFCWJ.EXE
C:\WINDOWS\MFCYB.EXE
C:\WINDOWS\MSFB.EXE
C:\WINDOWS\MSFG.EXE
C:\WINDOWS\MSGY32.EXE
C:\WINDOWS\MSHB32.EXE
C:\WINDOWS\MSHE32.EXE
C:\WINDOWS\MSPX32.EXE

C:\WINDOWS\NETAY32.EXE
C:\WINDOWS\NETBB32.EXE
C:\WINDOWS\NETEX32.EXE
C:\WINDOWS\NETPC.EXE
C:\WINDOWS\NETXS32.EXE
C:\WINDOWS\NETZL.EXE
C:\WINDOWS\NTBA.EXE
C:\WINDOWS\NTNQ.EXE

C:\WINDOWS\SDKPV32.EXE
C:\WINDOWS\SDKVZ.EXE
C:\WINDOWS\SYSAS32.EXE
C:\WINDOWS\SYSDD32.EXE
C:\WINDOWS\SYSDL.EXE
C:\WINDOWS\SYSNV32.EXE
C:\WINDOWS\SYSUY32.EXE

C:\WINDOWS\WINSY32.EXE
C:\WINDOWS\WINYF.EXE

C:\WINDOWS\SYSTEM\ADDYW.EXE
C:\WINDOWS\SYSTEM\APIOL32.EXE
C:\WINDOWS\SYSTEM\APIRZ.EXE
C:\WINDOWS\SYSTEM\APPBH32.EXE
C:\WINDOWS\SYSTEM\APPWC32.EXE
C:\WINDOWS\SYSTEM\APPWD.EXE

C:\WINDOWS\SYSTEM\CRXD32.EXE

C:\WINDOWS\SYSTEM\D3BA.EXE
C:\WINDOWS\SYSTEM\D3IF.EXE
C:\WINDOWS\SYSTEM\D3YM.EXE

C:\WINDOWS\SYSTEM\IEKJ.EXE
C:\WINDOWS\SYSTEM\IPLZ.EXE
C:\WINDOWS\SYSTEM\IPMT.EXE
C:\WINDOWS\SYSTEM\IPRK32.EXE
C:\WINDOWS\SYSTEM\IPTZ.EXE
C:\WINDOWS\SYSTEM\IPXR.EXE
C:\WINDOWS\SYSTEM\IPYN.EXE

C:\WINDOWS\SYSTEM\JAVAAT32.EXE
C:\WINDOWS\SYSTEM\JAVAIG32.EXE
C:\WINDOWS\SYSTEM\JAVAJS32.EXE
C:\WINDOWS\SYSTEM\JAVAKJ32.EXE
C:\WINDOWS\SYSTEM\JAVAMK32.EXE
C:\WINDOWS\SYSTEM\JAVAPT.EXE
C:\WINDOWS\SYSTEM\JAVASJ.EXE
C:\WINDOWS\SYSTEM\JAVAYH32.EXE
C:\WINDOWS\SYSTEM\JAVAYP32.EXE

C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MFCBT.EXE
C:\WINDOWS\SYSTEM\MFCKM.EXE
C:\WINDOWS\SYSTEM\MFCUV.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSFM.EXE
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSHQ.EXE
C:\WINDOWS\SYSTEM\MSJA.EXE
C:\WINDOWS\SYSTEM\MSND32.EXE
C:\WINDOWS\SYSTEM\MSSB32.EXE
C:\WINDOWS\SYSTEM\MSSC.EXE

C:\WINDOWS\SYSTEM\NETCQ32.EXE
C:\WINDOWS\SYSTEM\NETYM.EXE
C:\WINDOWS\SYSTEM\NTEJ.EXE
C:\WINDOWS\SYSTEM\NTEM.EXE
C:\WINDOWS\SYSTEM\NTMX32.EXE
C:\WINDOWS\SYSTEM\NTRH32.EXE

C:\WINDOWS\SYSTEM\SDKCR32.EXE
C:\WINDOWS\SYSTEM\SDKGO32.EXE
C:\WINDOWS\SYSTEM\SDKID32.EXE
C:\WINDOWS\SYSTEM\SYSFY.EXE
C:\WINDOWS\SYSTEM\SYSKB.EXE
C:\WINDOWS\SYSTEM\SYSMN.EXE
C:\WINDOWS\SYSTEM\SYSPA32.EXE
C:\WINDOWS\SYSTEM\SYSXZ32.EXE

C:\WINDOWS\SYSTEM\WINJC32.EXE
C:\WINDOWS\SYSTEM\WINOD.EXE

Delete Temp Files
To clean out your temp files use: Start-->Run-->type in: %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files and folders found in the temp folder. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files. This step replaces the use of System Security Suite, if you didn't download it.

Reboot your computer to go back to normal mode.

Run CWShredder 1.59.1, open folder & choose and choose to extract to your desktop. "Finish". Open the folder and double-click on the cwshredder.exe Select Fix

If you haven't already,Extract AboutBuster 4.0, open folder & choose and choose to extract to your desktop. "Finish". Open the folder and double-click on aboutBuster icon. Start it and press the OK button. Then hit the update button and a new screen will appear. On that screen press the Check for Updates button. If it says it found an update, press Download Updates. If it doesnt it will automatically tell you that it could not find an update and exit. (This program is updated often so you should always use the built in update feature before you scan with.) It's likely a very small update, easily downloaded, but if you must run without updating.

To scan your machine, press the Start button and then press OK. The program should start scanning. Scan 1. Scan 2. When it is done, press the exit button and reboot. Once rebooted run About:Buster one more time.

Reboot at least once, perhaps a couple of times to be sure it worked.

try again toRun AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

Delete Temporary Internet Files
Now I want you to Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.
Empty the recycle bin.
OR
Run System Security Suite. (All windows and browsers closed) To clean out Temp and Temporary Internet Files, In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Run HijackThis again and post the new log as a reply to this post.
A couple questions:
Have you every used a registry cleaning program?
Have you defragmented your hard drive recently?
patiently patrolling, plenty of persisant pests n' problems ...

#9 disaster

disaster
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 01 December 2004 - 06:34 AM

I have used hijackthis to remove all the files you indicated

However when I was deleting the files from the computer with windows explorer I did not delete

C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGSRV32.EXE

As these were not hidden files, unlike all the others. What should I do with these?

I also deleted all the temp files and internet temp files

On rebooting back to normal mode the system free resources was 97%. I then connected to the internet and tried to run peperemover. It got stuck. Similarly AboutBuster 4.0 loaded, but got stuck when I ran it. Unfortunately whilst i was connected to the internet my home page got changed to About:Blank again.

I then closed down and rebooted in safe mode. On running hijackthis I had about 10 extra lines that ended in zhgiv.dll and appeared to be connected with About:blank. I got HJT to delete them all.

HJT log on reboot in normal mode

Logfile of HijackThis v1.98.2
Scan saved at 20:15:31, on 30/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\CRSJ32.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {5589C2FB-CD1A-52E4-4F6C-D27D6ED99BEC} - C:\WINDOWS\SDKIQ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCUV.EXE] C:\WINDOWS\SYSTEM\MFCUV.EXE
O4 - HKLM\..\RunServices: [MFCYB.EXE] C:\WINDOWS\MFCYB.EXE
O4 - HKLM\..\RunServices: [CRSJ32.EXE] C:\WINDOWS\CRSJ32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2

I keep on getting an extra 02 BHO line, that when I delete it, another appears.
eg
O2 - BHO: Class - {5589C2FB-CD1A-52E4-4F6C-D27D6ED99BEC} - C:\WINDOWS\SDKIQ.DLL

I then ran spybot overnight it found

1 DSO exploit
4 CooWWWsearch.Featinstaller
1winpup

Unfortunately it froze so I could not delete them and a reboot was the only way to get the computer working again.

On normal reboot I was finally able to run Adaware 1.05 (79 days since update). It found
150 critical objects
3 registry keys changed
7 registry values changed
140 files identified

coolwebsearch 147 objects
VX2 1 object
Istbar 2 objects

For the first time I was allowed to delete these items with Adaware

Latest HJT log

Logfile of HijackThis v1.98.2
Scan saved at 07:39:22, on 01/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\CRSJ32.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - Default URLSearchHook is missing
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {5589C2FB-CD1A-52E4-4F6C-D27D6ED99BEC} - C:\WINDOWS\SDKIQ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCUV.EXE] C:\WINDOWS\SYSTEM\MFCUV.EXE
O4 - HKLM\..\RunServices: [MFCYB.EXE] C:\WINDOWS\MFCYB.EXE
O4 - HKLM\..\RunServices: [CRSJ32.EXE] C:\WINDOWS\CRSJ32.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2

CWShredder 1.59.1 does not find anything

Have you every used a registry cleaning program? No
Have you defragmented your hard drive recently? I tried to a few weeks ago but it got stuck.

#10 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 01 December 2004 - 07:56 PM

I'm not sure I can answer all your questions, disaster.
[quote]I have tried to run an online virus scan from Pandasoftware but it crashed.[/quote][quote]the update of internet explorer v6 is over 12Mb (service pack 1) and the computer is likely to crash so I haven't done it.[/quote] Try again later, both of these.[quote]CWShredder claims the system is OK.[/quote] I think from it's standpoint, it is now.
[quote]I have moved hijackthis.exe to C:hijackthis[/quote] I see it is back to the desktop, though.
You are running HJT from your desktop. It will be easiest to delete the present one and just to follow these steps in order:
start-->My Computer-->C:\ local disk-->File-->Folder-->New-->name it HJT.
Then Download HijackThis 1.98.2 from here. Save to desktop
Next, click or double click the .zip folder.
Extract all files-->ExtractionWizard opens-->next-->browse-->My Computer-->(C:)-->HJT-->OK-->next-->finish. Then close the windows.
That'll put hijackthis.exe in a permanent folder so it can make backups when we use it. Those backups might be needed.
When you are ready to post again, find that folder and Open the icon file (184KB Application)
click Scan-->Save Log-->name it hijackthis 1-->save as: all files-->in: My Documents. Notepad should be visible now.
Choose Edit-->select all-->right-click Copy.

[quote]However when I was deleting the files from the computer with windows explorer I did not delete:
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSGSRV32.EXE As these were not hidden files, unlike all the others. What should I do with these?[/quote] Keep these files. They should not have been on the lastest deletion list I provided. Information from a good source below:

C:\WINDOWS\SYSTEM\MDM.EXE: Used by developers for debugging. Those who have encountered it have unchecked it with no degradation in performance. May cause your computer to "hang" if you have MS Visual Studio installed and this disabled because it appears to take over error handling - hence the U recommendatioon. about this at microsoft

C:\WINDOWS\SYSTEM\MPREXE.exe: System Required (absolutely required by Windows system) WIN32 Network Service Interface Process. MPREXE.exe enables the computer to have multiple clients/protocols for networks. There are some problems with it sometimes though. Note - why some people have it listed in start-up programs I don't know but I was asked to include it here. It automatically runs in the background. NOTE : sometimes it will appear in start-ups if you have a virus

C:\WINDOWS\SYSTEM\MSGSRV32.EXE: System Required (absolutely required by Windows system) Windows 32-bit VxD Message Server. For more information on its function and why it's needed, see here. Note - why some people have it listed in start-up programs I don't know but I was asked to include it here. It automatically runs in the background. about this at microsoft:

[quote]the system free resources was 97%.[/quote] An improvement.
[quote]I then connected to the internet and tried to run peperemover. It got stuck[/quote] Not sure how or why this happened. Do not run it again, its for one particular infection I do not see now.
[quote]AboutBuster 4.0 loaded, but got stuck when I ran it. Unfortunately whilst i was connected to the internet my home page got changed to About:Blank again.[/quote] AboutBuster Is a program that is used to help clean up the CWS infection called Home Search Assistant. It should only be used if your hijackthis log has entries that look like res://random.dll/sp.html#2131 or something similar. Those log entries are gone now so it must have done the job.
[quote]I then closed down and rebooted in safe mode. On running hijackthis I had about 10 extra lines that ended in zhgiv.dll and appeared to be connected with About:blank. I got HJT to delete them all.[/quote] Appearances can be deceiving sometimes. Hold off on any futher deletions other than the ones recommended.
[quote]I was finally able to run Adaware 1.05 (79 days since update). It found 150 critical objects: coolwebsearch (147 objects) VX2 (1 object) Istbar (2 objects)[/quote] This too is very good, with the many updates currently available it is likely to find more.
[quote]Have you every used a registry cleaning program? No.[/quote] I'll check further on this for you while we continue.
[quote]Have you defragmented your hard drive recently? I tried to a few weeks ago but it got stuck[/quote] This might explain general slowdown of PC performance, and you will need to continue to try and accomplish this.
[quote]I keep on getting an extra 02 BHO line, that when I delete it, another appears. (eg) O2 - BHO: Class - {5589C2FB-CD1A-52E4-4F6C-D27D6ED99BEC} - C:\WINDOWS\SDKIQ.DLL[/quote] Let's try this:

Set your PC to: show hidden files.
This time Start-->MyComputer-->Tools-->Options-->View Tab-->Show Hidden Files & Folders (system-wide)

Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects.

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5589C2FB-CD1A-52E4-4F6C-D27D6ED99BEC} - C:\WINDOWS\SDKIQ.DLL
O4 - HKLM\..\RunServices: [MFCUV.EXE] C:\WINDOWS\SYSTEM\MFCUV.EXE
O4 - HKLM\..\RunServices: [MFCYB.EXE] C:\WINDOWS\MFCYB.EXE
O4 - HKLM\..\RunServices: [CRSJ32.EXE] C:\WINDOWS\CRSJ32.EXE

When you're sure that files marked for deletion are correct, click the Fix button and exit HJT.

Search for, locate and delete these files or folders (Do not be concerned if they do not exist, previous steps may have eliminated them.) Do not delete main folders like C:\WINDOWS or C:\WINDOWS\SYSTEM. We're looking for individual files, unless otherwise noted. The best way to find them is to use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders", "sub-folders". Navigation to the folders involved, opening them and selecting the bad files-->right click to delete can also be done.
Delete
C:\WINDOWS\SDKIQ.DLL
C:\WINDOWS\SYSTEM\MFCUV.EXE
C:\WINDOWS\MFCYB.EXE
C:\WINDOWS\CRSJ32.EXE

Delete Temp Files
To clean out your temp files use: Start-->Run-->type in: %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files and folders found in the temp folder. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files.

Reboot your computer to go back to normal mode.

Try again to update and Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

Delete Temporary Internet Files
Now I want you to Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.
Empty the recycle bin.

Run HijackThis again and post the new log as a reply to this post.
patiently patrolling, plenty of persisant pests n' problems ...

#11 disaster

disaster
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 02 December 2004 - 05:59 PM

I have removed
SDKIQ
MFCYB
CRSJ32

with HJT and deleted the .dll files from the computer

I could not find MFCUV in the HJT log and the associated .dll file is not on my system

I have also cleaned out out temp files and temporary internet files. I downloaded the latest update for adaware and ran it. It did not find anything.

I have also installed spywareblaster and spyware guard and have downloaded the latest updates.

Finally I have used an virus detection programme (Etrust Innoculate IT) to scan my system. It found 15 files infected with the win 32/winshow.dll 56320 trojan. I got it to fix the files.

My latest HJT log
Logfile of HijackThis v1.98.2
Scan saved at 22:47:15, on 02/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\INORT9X.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\INORPC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\ESSSPK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\CA\ETRUST\INOCULATEIT\REALMON.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:\\www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F1 - win.ini: load=essspk.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust\InoculateIT\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ntu.ac.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 152.71.0.1,152.71.0.2

#12 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 02 December 2004 - 11:19 PM

disaster, your log is clean! There is only one entry that is an orphan, or not functional.
You can simply run HJT per previous instructions and delete it:
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
It could be the result of something done on install. You might need to uninstall/reinstall SpywareGuard to fix it. Try that after you run HJT one more time.

Next, you should disable & re-enable your System Restore to set a new restore point. This insures that there are no infected files found in a restore point left over from what we have just cleaned. Additional information & instructions are here.

Some other steps to be taken are:

1. Use secure Internet Explorer settings
  • Open IE and check tools-->internet options-->security-->click internet icon-->(default is medium). Click custom and check that these settings are:
  • Download unsigned ActiveX controls - prompt
  • Initialize and script ActiveX controls not marked as safe - disable
  • Installation of desktop items - prompt
  • Launching programs and files in IFRAME - prompt
  • Navigate sub-frames across different domains - prompt
2. Use AntiVirus Software & Update Frequently. It's best to use only one. I see you have Etrust Innoculate IT. Good.
  • An excellent free program is AVG, if you need an option. This program can be set to automatically scan & either auto-update or
    you may choose to do that yourself. Virus definition updates with this program occur frequently, which is very good.
3. Use a Firewall
  • , but use only one. If you install your own, disable the built-in winXP firewall.
  • Excellent free programs available include:
  • Sygate
  • Kerio
  • (others are also available)
  • Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations
  • (fully understanding it's operation may require some thought & a little practice, but it helps greatly to have it installed and functioning)
4. Use Microsoft Windows Updates Frequently
  • SP2 is the most recent Service Pack available.
  • It provides all the updates issued since Windows XP was first released, including SP1 and all updates added to it
  • More updates have already been to it, so to remain current in regards to security issues in particular, you should consider installing it.
  • Information is more readily available now that involves any possible conflicts with your present software.
  • You can read up on that information here.
5. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option.
  • This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with this program on a regular basis, just as you would an antivirus software.
  • Check for updates when you do. A tutorial is available here.
7. Use SpywareBlaster & Update
  • Install and use this program
  • Adding a large list of sites/programs into your Browser settings, it protects you from running or downloading known malicious programs.
  • You may customize it if required to accomodate your individual needs, and updates are also frequently issued with new definitions added
  • Make it a habit to run and update on a regular basis.
7. Use Ad-Aware & Update
  • Install, configure and use this program with the others.
  • It is very well thought of in it's effectiveness, it complements the actions of the others.
  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.
  • Updates are frequent, so I suggest that you do both that and run the program regularly.
8. Use an alternative Browser Frequently. You may use several if you like.
  • Consider using Firefox as an alternative to IE for fundamental security reasons.
  • You can have both easily. Doing so will provide you with several benefits and options.
  • Other alternative browsers are also available at no charge
  • They do not have inherent vulnerabilities to the extent that IE does.
  • They are not subject to the same attention by malware creators as IE, which is much more commonly used.
All of these recommendations will provide a valuable service to you, and no conflicts exist when operating them together on your PC [winXP]
Please enact them for your own sake at that of the Internet itself.

9. Use BleepingComputer Tutorials & Resources Frequently. "and check for updates...:thumbsup:"
  • While cleaning your PC important tutorials were offered to explain what was being done.
  • Urgency to accomplish the task may have compromised your full understanding of what all was involved.
  • There is always room for improvement when using a personal computer.
  • Resources are available here and improving all the time. Some that deal with these recommendations & other topics include:
Tutorials available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Four Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Guide to Windows XP Recovery Features
Steps to take when connecting a new computer to the Internet
patiently patrolling, plenty of persisant pests n' problems ...

#13 disaster

disaster
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 08 December 2004 - 06:10 AM

Thanks for all your help phawgg

My computer seems to behaving itself now

#14 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:27 PM

Posted 31 December 2004 - 06:56 PM

Closed. The topics in this thread appear to have been resolved.

If referring to this thread you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.

You may also contact a HJT Team Member, and reference the link location address. Happy New Year. :thumbsup: :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users