HijackThis log on WindowsME, no Windows Update

Please help I'm helping a friend with computer problems. Here is hijack log.
thanks --shammie
Logfile of HijackThis v1.98.0
Scan saved at 4:39:01 PM, on 9/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NTGH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\IEDP32.EXE
C:\WINDOWS\TEMP\S.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSTEMIE.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\WINDOWS\TEMP\B.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\HCCPMESH.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\HLPUPG.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\VYK0.EXE
C:\WINDOWS\SYSTEM\DOVB.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IEDP32.EXE] C:\WINDOWS\IEDP32.EXE
O4 - HKLM\..\Run: C:\WINDOWS\TEMP\S.EXE
O4 - HKLM\..\Run: [49CCN@T2XA5GAM] C:\WINDOWS\SYSTEM\Dkp0g.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: C:\WINDOWS\TEMP\B.EXE
O4 - HKLM\..\Run: [virnkfb] C:\WINDOWS\SYSTEM\zpfujj.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [r83R36X] HCCPMESH.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - HKCU\..\Run: [azs5RWbmQ] HLPUPG.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...27c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
O21 - SSODL: systemie - {AE479BDE-0499-4A02-A015-9AADB6EA29B9} - systemie.dll (file missing)

 

Hi shammie. You need to do some of the usual stuff here
- get the latest HJT version
- put HJT in a folder other than temp
- get, update, run Ad-aware and Spybot
- empty all the temp folders
- disk cleanup

After that it will be reasonable to start working on the various types of malware still on the PC after the above so that would be a good time to post a new HJT log with the new version.

 

Ok. I have run ad-aware , spybot and cleaned disk. I could not get an update for hijack(downloeded new one). Here is copy of log. thanks
Logfile of HijackThis v1.98.2
Scan saved at 5:58:10 PM, on 9/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NTGH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\IEDP32.EXE
C:\WINDOWS\TEMP\S.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSTEMIE.EXE
C:\WINDOWS\TEMP\B.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\MMFASF.EXE
C:\WINDOWS\SYSTEM\MNMBVM50.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\VYK0.EXE
C:\WINDOWS\SYSTEM\QEM6HC08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IEDP32.EXE] C:\WINDOWS\IEDP32.EXE
O4 - HKLM\..\Run: C:\WINDOWS\TEMP\S.EXE
O4 - HKLM\..\Run: [49CCN@T2XA5GAM] C:\WINDOWS\SYSTEM\Ezg1q5.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: C:\WINDOWS\TEMP\B.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [r83R36X] MMFASF.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - HKCU\..\Run: [azs5RWbmQ] MNMBVM50.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...27c293f863e8:8b5b4fff0cd3ceb2d022384e480b9c0d
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O21 - SSODL: systemie - {AE479BDE-0499-4A02-A015-9AADB6EA29B9} - systemie.dll (file missing)

 

Thanks. Looks better - or maybe worse - but at least better to work with. This PC has really been eaten alive by malware. I looked back at some of your earlier threads and want to say "good on you" for helping so many folks who have spyware problems. Gotta be a relief for them to have clean systems. But moving right along.

Download CWShredder (quicklinks) but don't do anything with it for now. You will need it later.

Open Hijackthis and run a scan. Check all the following for removal and then remove them.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
O4 - HKLM\..\Run: [IEDP32.EXE] C:\WINDOWS\IEDP32.EXE
O4 - HKLM\..\Run: C:\WINDOWS\TEMP\S.EXE
O4 - HKLM\..\Run: [49CCN@T2XA5GAM] C:\WINDOWS\SYSTEM\Ezg1q5.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [ B ] C:\WINDOWS\TEMP\B.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [r83R36X] MMFASF.EXE
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - HKCU\..\Run: [azs5RWbmQ] MNMBVM50.EXE
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...022384e480b9c0d
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O21 - SSODL: systemie - {AE479BDE-0499-4A02-A015-9AADB6EA29B9} - systemie.dll (file missing)
(note: several of those 016 entries may be fine but this system is so badly eaten up and 016 items are always safe to remove since they will be rebuilt on the next visit to a site that needs them that I'd like to just make them go away)

Not sure about this application. Doesn't seem to be real effective but some of the security gurus are more up to date so let them suggest.
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan

Turn off system restore.

Go to add/remove programs and if the following are there uninstall them if possible:
AUTOUPDATE
WEB OFFER

Boot to safe mode.

The following are either known baddies or else files that don't search up as being associated with any program which normally indicates virus or spyware payload dropped on the PC. Delete all of these.
C:\WINDOWS\SYSTEM\NTGH.EXE
C:\WINDOWS\IEDP32.EXE
C:\WINDOWS\TEMP\S.EXE (exe in a temp folder - always a bad sign)
C:\WINDOWS\SYSTEM\SYSTEMIE.EXE (part of TROJ_SISIE.A)
C:\WINDOWS\TEMP\B.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE (Adware.Envolo and used to update other adware)
- remove the entire folder
C:\WINDOWS\SYSTEM\MMFASF.EXE
C:\WINDOWS\SYSTEM\MNMBVM50.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE (Web Offer is adware)
- remove the entire folder
C:\WINDOWS\SYSTEM\VYK0.EXE
C:\WINDOWS\SYSTEM\QEM6HC08.EXE

Close all other folders & programs then run CWShredder.

Boot back to normal mode and run Hijackthis again and post the log. There was so much junk I may easily have missed some or there may be a well hidden critter that continues to cause problems.

I'd also suggest while you are working with this PC that you download Spywareblaster, update it, and let it immunize all it can. Over 3000 bad things it's blocking now. With that and the immunize feature on Spybot, the PC will have quite a bit of extra protection and hopefully won't get so badly infested.

 

Newt, Thanks for your help. I will get back to the computer in the morning, and post new hijack file then. I appericate all you guys.

 

That PC has a peper infection. Download the following fix, saving it to your desktop, then double click to open. Then click 'Find and Fix' and reboot if prompted.

http://downloads.subratam.org/PeperFix.exe

Reboot again when finished. You will most likely have this entry to fix with HJT afterwards.
O4 - HKLM\..\Run: [49CCN@T2XA5GAM] C:\WINDOWS\SYSTEM\Ezg1q5.exe

It also has a nasty CoolWebSearch infection. CWShredder may get rid of it if run in safe mode, but most likely will need AboutBuster. After running the peperfix and fixing the items Newt has pointed out, these entries may return in a HJT scan.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gmvsr.dll/sp.html#96676
O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL
and maybe one of those oddball run entries

If so, Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: Class - {66BEFA4A-DA6F-C681-9F03-A12F8ECDE056} - C:\WINDOWS\SYSTEM\MFCWS.DLL

the oddball run entry


Download AboutBuster from one of the following locations.


http://www.atribune.org/downloads/AboutBuster.zip

http://tools.zerosrealm.com/AboutBuster.zip

http://www.downloads.subratam.org/AboutBuster.zip


First unzip all files from the zip folder to a folder or your desktop. Double click AboutBuster.exe and click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit.
Close ALL Internet Explorer windows. This is a very important step!!
Click start and then Ok. The program should start scanning. Wait for it to finish (may take a while), then hit exit and reboot.

Once rebooted run About:Buster once more to make sure everything is ok.

Reboot and run another HijackThis scan and post the log.

 

I have run aboutbuster took ~6hrs, cwshreder, and fix hijack entries. On boot up this message comes up "spool32 has caused an error in mmsystem.dll. spool32 will now close" any help? also the colors and size of web pages is not right. Here is new hijack log: Thanks

Logfile of HijackThis v1.98.2
Scan saved at 5:38:43 PM, on 9/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NTGH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\IEHOST.EXE
C:\PROGRAM FILES\VVSN\VVSN.EXE
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
O2 - BHO: Class - {8F846BCB-86F7-DC69-9065-9E2F710F27C3} - C:\WINDOWS\SYSTEM\D3LY32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe
O4 - HKLM\..\Run: [VVSN] C:\PROGRAM FILES\VVSN\VVSN.EXE
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Check this link for the error message.
http://support.microsoft.com/?kbid=138835

First uninstall TV Media in add/remove programs.

Disable system restore.

See this link for removal of Delphin Media Veiwer. Might want to make note of it all for use in safe mode.
http://www.pestpatrol.com/pestinfo/d/delfin_media_viewer.asp

Reboot and fix the following if present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
O2 - BHO: Class - {8F846BCB-86F7-DC69-9065-9E2F710F27C3} - C:\WINDOWS\SYSTEM\D3LY32.DLL
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\SYSTEM\IEHost.exe
O4 - HKLM\..\Run: [VVSN] C:\PROGRAM FILES\VVSN\VVSN.EXE
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE


Reboot to safe mode.

Search for and delete this file if found.
savei-syncm-whseinst.exe

Open C:\Program Files and delete the folders TV MEDIA, Delfin and VVSN if present.
Open C:\Program Files\Common Files and delete the folder DPI.
Open C:\WINDOWS\system and delete the files SearchBar.htm, IEHost.exe and NTGH.EXE if present.
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Reboot.

Back in Windows, you can re-enable system restore. Then visit Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Scan the PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

I fix hijack files, can't find tv media, savei-syncm-whseinst.exe,SearchBar.htm, IEHost.exe and NTGH.EXE. Dleted DPI file, and rav here is a copy of report: also windows update will not install current windows version is 5.50.4134
Statistics

Scanned files: 18020
Scanned directories: 1220
Scanned archives: 2260
Size of the scanned files: 3032783504
Packed files: 602
Known viruses found: 38
Virus bodies: 22
Suspicious files: 1

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 137464
Mail files: 72




Found viruses
File: c:\_Restore\TEMP\TOPMINS1.0
Virus: Trojan:Win32/Revop.C Status: Infected

File: c:\_Restore\TEMP\WUPDSNFF.0
Virus: TrojanDownloader:Win32/Agent.AB Status: Infected

File: c:\_Restore\TEMP\WUPDSNFF.1
Virus: TrojanDownloader:Win32/Agent.AB Status: Infected

File: c:\_Restore\TEMP\EQTZ6W9.0
Virus: Backdoor:Win32/VB.UV Status: Infected

File: c:\_Restore\TEMP\DKP0G.0
Virus: Backdoor:Win32/VB.UV Status: Infected

File: c:\_Restore\TEMP\EZG1Q5.0
Virus: Backdoor:Win32/VB.UV Status: Infected

File: c:\WINDOWS\scvhost.exe
Virus: Trojan:Win32/StartPage.AI Status: Infected

File: c:\WINDOWS\counter3
Virus: TrojanDownloader:Win32/Krepper.D.dam#2 Status: Infected

File: c:\WINDOWS\pxtkft.dat
Virus: TrojanDownloader:Win32/Agent.BC.dam#2 Status: Infected

File: c:\WINDOWS\n_gxlypb.dat
Virus: Trojan:Win32/WebSearch.B Status: Infected

File: c:\WINDOWS\n_hawubi.dat
Virus: TrojanDownloader:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\mfczs32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\n_ambuwa.dat
Virus: Trojan:Win32/WebSearch.B Status: Infected

File: c:\WINDOWS\ipfn32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\n_zxsban.dat
Virus: TrojanDownloader:Win32/Agent Status: Infected

File: c:\WINDOWS\n_uktsdw.dat
Virus: Trojan:Win32/WebSearch.B Status: Infected

File: c:\WINDOWS\ipzm32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\SYSTEM\sysie.dll
Virus: Trojan:Win32/Spy.Sisie.C Status: Infected

File: c:\WINDOWS\SYSTEM\q8k0fsv0.exe
Virus: TrojanDropper:Win32/Vldial Status: Infected

File: c:\WINDOWS\SYSTEM\apidn32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\SYSTEM\crmp.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\SYSTEM\netgo.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\SYSTEM\ntgh.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

File: c:\WINDOWS\SYSTEM\ShellExt\d.EXE->(UPXW)
Virus: ToolornDialer.EF Status: Infected

File: c:\WINDOWS\SYSTEM\services\MSXMIDI.EXE
Virus: TrojanDownloader:Win32/Small.KR Status: Infected

File: c:\WINDOWS\SYSTEM\services\losve.exe
Virus: Trojan:Win32/Dialer.CE Status: Suspicious

File: c:\WINDOWS\TEMP\16541838912
Virus: TrojanDownloader:Win32/Agent.AL Status: Infected

File: c:\WINDOWS\TEMP\16541234091
Virus: TrojanDownloader:Win32/Agent.AL Status: Infected

File: c:\WINDOWS\Downloaded Program Files\tl7000.dll
Virus: TrojanProxy/Win32.Sobit Status: Infected

File: c:\WINDOWS\Downloaded Program Files\jao.dll
Virus: Trojan:Win32/Spy.Briss.H Status: Infected

File: c:\WINDOWS\Downloaded Program Files\olehelp.exe
Virus: Trojan:Win32/StartPage.IT Status: Infected

File: c:\WINDOWS\Downloaded Program Files\CONFLICT.1\jao.dll
Virus: Trojan:Win32/Spy.Briss.H Status: Infected

File: c:\My Documents\hijackthis\backups\backup-20040903-101435-591.dll
Virus: TrojanDownloader:Win32/Briss.A Status: Infected

File: c:\Program Files\Common Files\svchost.exe
Virus: Trojan:Win32/StartPage.AAJ Status: Infected

File: c:\Program Files\WindUpdates\WinKA.exe
Virus: Trojan:Win32/KeepAlive.A Status: Infected

File: c:\!PeperFix\Eqtz6w9.exe
Virus: Backdoor:Win32/VB.UV Status: Infected

File: c:\!PeperFix\Dkp0g.exe
Virus: Backdoor:Win32/VB.UV Status: Infected

File: c:\!PeperFix\Ezg1q5.exe
Virus: Backdoor:Win32/VB.UV Status: Infected

File: c:\Symantec\ni0akyhbbc.exe
Virus: Trojan:Win32/StartPage.EB Status: Infected


also here is a new hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 9:00:46 PM, on 9/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\NTGH.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/forumdisplay.php?f=18
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8F846BCB-86F7-DC69-9065-9E2F710F27C3} - C:\WINDOWS\SYSTEM\D3LY32.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thank you

 

You still need to disable system restore. Some of those infected files are stored there.

Scan again and fix these with HJT.

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8F846BCB-86F7-DC69-9065-9E2F710F27C3} - C:\WINDOWS\SYSTEM\D3LY32.DLL
O4 - HKLM\..\RunServices: [NTGH.EXE] C:\WINDOWS\SYSTEM\NTGH.EXE


Reboot to safe mode. Make sure you show hidden files and folders, including system files and extensions.

Delete all of the files found by RAV in the

C:\Windows directory

scvhost.exe
counter3
pxtkft.dat
n_gxlypb.dat
n_hawubi.dat
mfczs32.exe
n_ambuwa.dat
ipfn32.exe
n_zxsban.dat
n_uktsdw.dat
ipzm32.exe

c:\WINDOWS\SYSTEM

sysie.dll
q8k0fsv0.exe
apidn32.exe
crmp.exe
netgo.exe
ntgh.exe

c:\WINDOWS\SYSTEM\ShellExt

d.EXE

c:\WINDOWS\SYSTEM\services<<<<<< check the contents of this folder....if only these files, you can probably delete the whole folder

MSXMIDI.EXE
losve.exe

c:\WINDOWS\Downloaded Program Files

tl7000.dll
jao.dll
olehelp.exe
CONFLICT.1<<<< FOLDER

c:\Program Files\Common Files

svchost.exe

c:\Program Files

WindUpdates<<<< FOLDER

c:\

!PeperFix<<<< FOLDER

c:\Symantec<<<< I have a gut feeling this entire folder is junk. Norton keeps it's vaulted files elsewhere. See what all is in it before deleting.

c:\My Documents\hijackthis\backups

backup-20040903-101435-591.dll


C:\Windows\Temp.....select all and delete.

Look again for IEHost.exe in C:\Windows\System and TV Media folder in Program Files.


Empty the recycle bin. Reboot and run the scans again.

The update installation is set to run at startup. Hopefully it will complete and ask you to reboot. If it doesn't complete the installation, you may have to try again after this PC is all cleaned up.

 

How to Disable and Enable System Restore for ME

 

thanks for all you help. I think that everything is finally deleted rav shows no virus, ad-aware clean, spybot clean. I still can not install windows update, and internet explorer colors are bad its hard to read looks like colors when in safe mode. Here is new hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 12:05:23 PM, on 9/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsbbs.com/forumdisplay.php?f=18
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

I can see an attempt was made to update IE. What you may need to do to access windows update is add the site to the Trusted Zone of IE. Go to Internet Options, click on Security tab, then click on Trusted, then click on the Sites button. Uncheck the box about HTTPS, and Add *.windowsupdate.com, as it appears here. Let the Security Level of Trusted be at the default Low setting.

 

The lnk extension an this entry, O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe, makes it appear there is now a shortcut for resuming the update installation. Is there? If so, double click to start.

 

No good, ie6setup will not install. any ideas as to why?

Thnks for your help.

 

Did you try going to C:\WINDOWS\Windows Update Setup Files and double clicking the ie6setup.exe file? If it still won't install after that, delete the file, fix that registry entry with HJT, empty recycle bin and reboot. Then go back to windows update and try the download again.

 

I did a very bad thing. Ran Etrust ir said there was virus in hijack back up file.
I deleted the folder, now windows will not start it is a pale colol and says that my active x settings wil not allow almost everything(can't use start, my computer, my documents, ect) Please help Thank you

 

Deleting that folder should not have had any diverse effect on the operating system, but, is it still in the recycle bin? If so, restore it and reboot. Are you sure something else wasn't deleted/altered? Try doing a system restore. There should have been a new restore point made when you turned it back on.

 

no activex controls/can't adjust security settings

I can't figure out what happened. Everything was clean and I was trying to run windows update. System shut down came back to a wierd colored screen with only the my documents, my computer, recycle bin, and internet explorer short cuts on the desk top. The my doc file says it is not there(found it the fonts file in safe mode, can I move it back?) When internet explorer is opened this message appears "your current security settings prohibit running activex controls on this page. As a result, the page may not display correctly" When I try to change settings under tools-internet options-security(the page is blank there are no web content zones, and the slider is all the way up(highest level, but no levels listed). When I try to move the slider one of the following 2 messages "explorer has caused an error in inetcpl.cpl (or in kernel32.dll) explorer will now close. In safe mode I have run ad-aware, spybot, cwshreder, and aboutbuster all check clean. The system restore has been disabled it took several attemps to enable it, but it will not run. Nothing runs in normal mode except that I can open internet explorer, when i open my computer nothing shows up I have check to allow to show all files. I'm at my witts end. I appreciate all your help more then you can know. any ideas what is going on? Thanks again

 

Dave, thank you. I can not run system restore(opens but blank). To you ?'s

1) I deleted downloaded program files to thats where viruses hidden but would not display any files. Then ran etrust scan it show winshow virus tried to fix but couldn't show 1 file to be in hjt backup file so I deleted the whole file. then system shut down. Hasn't work since.

2) after hjt deletion system came back up with the following My Documents, My computer, Recycle Bin, internet explorer, and short cuts to, cox high speed internet user guide, 2 cox high speed internet browsers. When i click on my docs I get "The My Documents folder could not be found. Right click the My Documents icon, click properties, and then check that the path to your target folder location is correct" Nothing is listed under target when I try to "restore default" "windows is unable to move your documents to the new location because it is a subfolder of the previous location. you can still access the documents in the previous location" My doc file is list under C: drive and every thing is in there and openable. can not delete or rename the one on the desk top, and can not move the good one to desk top, or merge with desktop.

I have found a new profile file that was created yesterday its contents are profiles/default users/application data/microsoft/html help/hh.dat could this be problem? Safe to delete?

also out of safe mode nothing except for internet explorer work it opens then says security settings prohibit...can't view most pages or run scans. home page has been set to ??G. Can not find docsand settings file.
Thanks again--Shammie