Need to reinstall IE [HijackThis log]

I'm a bit baffled now. Did you use the Trend Micro link I posted above? It requires no ActiveX (well, it's not supposed to)

 

I tried again and this time it hung up around 39% loading and never went on.

 

Please try Panda ActiveScan. make sure all scan options are selected and choose to scan the whole PC. If this doesn't work, we'll just do it manually and be done with it.

 

NADA. I checked ActiveX and enabled everything. Rebooted system.
Tried Panda again and it said there was an error in downloading. Rebooted again and same message. SOOOOOOOOO!
I ran MWAV last evening and here is just some of the info I took from the listing re viruses. There were 90 lines out of many more not a virus. Not sure if this helps at all as long as I can't seem to get things to run that use ActiveX.
***************
File C:\WINDOWS\iupldaifnhv.exe infected by "Backdoor.Win32.Agobot.ro" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Helper101.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\N0.exe infected by "Trojan-Downloader.Win32.Small.rg" Virus! Action Taken: No Action Taken.
.File C:\WINDOWS\SYSTEM\GSM3-0511.exe infected by "Trojan.Win32.Registrator.b" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\elitezpz32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\temperror32.dat infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\main.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\exp.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\wintask.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\installer_MARKETING18.exe infected by "Trojan-Dropper.Win32.Agent.hl" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\wrapperouter.exe infected by "Trojan-Dropper.Win32.Agent.hl" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dist001.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\N0.exe infected by "Trojan-Downloader.Win32.Small.rg" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\GSM3-0511.exe infected by "Trojan.Win32.Registrator.b" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\installer_MARKETING17.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\dist006.exe infected by "Trojan-Downloader.Win32.VB.eu" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\AUNIcons.exe infected by "Trojan-Downloader.Win32.Agent.jq" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\wrapperouter.exe tagged as "not-a-virus:AdWare.VirtualBouncer.c ". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\HelperInstall.exe infected by "Trojan-Dropper.Win32.Delf.z" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Cache\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\elitezpz32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\temperror32.dat infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\main.exe infected by "Trojan-Downloader.Win32.Agent.hw" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\exp.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\wintask.exe infected by "Trojan-Downloader.Win32.Small.abd" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\installer_MARKETING18.exe infected by "Trojan-Dropper.Win32.Agent.hl" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\wrapperouter.exe infected by "Trojan-Dropper.Win32.Agent.hl" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\cxtpls_loader.exe infected by "Trojan-Downloader.Win32.Apropo.ab" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\iupldaifnhv.exe infected by "Backdoor.Win32.Agobot.ro" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Helper101.dll infected by "Trojan-Clicker.Win32.Delf.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Windows Media Player\wmplayer.exe infected by "Trojan-Downloader.Win32.Small.apm" Virus!

 

Shucks!

Please post a new HijackThis log also. It's going to take me some time to get things written up for you. I hope to have something posted this afternoon/evening. Hang in there!

 

Here it is!
Logfile of HijackThis v1.99.1
Scan saved at 11:35:29 AM, on 5/21/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COMMON FILES\SOFT602\PDFSAVER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\YACSMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WMCONNECTA\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\NEW-EXE\BLOCK-ADS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.angelfire.com/ms2/xstlion/MYOPERAHOTLISTSEPT04.HTML
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe "
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [602PC SUITE PDF Saver] "C:\Program Files\Common Files\soft602\pdfSaver.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Photo Center\MemoryCardManager.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: YacsMon.exe
O9 - Extra button: Blink - {DB02A810-984C-11d3-84DC-006008593AC7} - C:\WINDOWS\SYSTEM\BLINKNAV.DLL
O9 - Extra button: MaxManager - {34490430-8ADB-11d3-9A5E-005004D2F1FC} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &MaxManager - {34490430-8ADB-11d3-9A5E-005004D2F1FC} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab

 

Please download the delfiles.zip attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to delfiles.zip Now right click the zip and extract the delfiles.bat file to your desktop.

If you'd like to see what files are being deleted, right click and choose edit. You can compare the list with the first MWAV log you posted here.

Reboot to safe mode. Double click the file to run it. If prompted for anything to be deleted, type Y and hit enter.

Reboot back into Windows and run a registry cleaner. This will clean out all of those entries found by MWAV, and may improve your computer's performance. I recommend RegSeeker. I've found it to be quite safe. Open and click 'clean registry'. When the scan completes, make sure the backup box is checked, click select all, then select all again. Now right click within the resuls and choose delete. Minimize the window and do a quick check of your installed programs for functionality. Make sure your control panel options work also. If everything seems to be OK, run RegSeeker again the same way. Repeat until it finds nothing else. Should you encounter a problem, just click the backups button, select the proper backup, right click and open in regedit.

Scan C:\Program Files\Windows Media Player\wmplayer.exe with this online malware scanner and let me know the results. We may need to replace that file.

Reboot when done and do another MWAV scan, then post the results.

 

Here are the results from the Scan of media player
File: wmplayer.exe
Status: INFECTED/MALWARE
MD5 4f7f8862e94076e8dc1eaf0601a37af1
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Small.33.F
BitDefender Found Trojan.Downloader.Small.APM
ClamAV Found Trojan.Downloader.Small-371
Dr.Web Found Trojan.DownLoader.2174
F-Prot Antivirus Found W32/Downloader.AZG
Fortinet Found W32/Small.APM-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.apm
mks_vir Found Trojan.Downloader.Small.Apm
NOD32 Found nothing
Norman Virus Control Found W32/DLoader.DYA
VBA32 Found Trojan-Downloader.Win32.Small.apm

******************************
Here are the results from MWAV
Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\cpbrkpie.ocx ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object " ". Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\Program Files\Windows Media Player\wmplayer.exe infected by "Trojan-Downloader.Win32.Small.apm" Virus! Action Taken: No Action Taken.
File C:\Program Files\Setup_2u.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Photocopier\Photocopier.exe tagged as "not-a-virus:AdWare.TimeSinc ". Action Taken: No Action Taken.
File C:\Program Files\Digital Postman\TSUNINSTALLER.EXE tagged as "not-a-virus:AdWare.TimeSink ". Action Taken: No Action Taken.
File C:\Program Files\EXE-files\pspv12.zip tagged as not-a-virus:RiskWare.PSWTool.PassView.120. No Action Taken.
File C:\Program Files\EXE-files\orgexp-XST2.1update.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\EXE-files\pspv\pspv.exe tagged as not-a-virus:RiskWare.PSWTool.PassView.120. No Action Taken.
File C:\Program Files\EXE-files\PrintDeskTopSetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\EXE-files\XMAS-TREE.exe tagged as "not-a-virus:AdWare.Sidesearch.d ". Action Taken: No Action Taken.
File C:\Program Files\FileSubmit\1 New Year 5\TBEZA127Q.exe tagged as "not-a-virus:AdWare.ToolBar.Quick.a ". Action Taken: No Action Taken.
File C:\Program Files\FileSubmit\1 New Year 5\NNEZTA388.exe tagged as "not-a-virus:AdWare.NewDotNet ". Action Taken: No Action Taken.
File C:\Program Files\pspv.zip tagged as not-a-virus:RiskWare.PSWTool.PassView.120. No Action Taken.
File C:\Needles\Setup_2u.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WIN98\WIN98_59.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\NEW-EXE\BLOCK-ADS\hijackthis\backups\backup-20050517-105006-210.dll tagged as "not-a-virus:AdWare.BookedSpace.e ". Action Taken: No Action Taken.
File C:\NEW-EXE\BLOCK-ADS\hijackthis\backups\backup-20050517-105007-328.dll tagged as "not-a-virus:AdWare.Coupons ". Action Taken: No Action Taken.

 

That looks great! Looks like RegSeeker did a good job too! I recommend you delete the following files, then empty the recycle bin.

File C:\Program Files\EXE-files\XMAS-TREE.exe :AdWare.Sidesearch.d
File C:\Program Files\FileSubmit\1 New Year 5\TBEZA127Q.exe :AdWare.ToolBar.Quick.a
File C:\Program Files\FileSubmit\1 New Year 5\NNEZTA388.exe :AdWare.NewDotNet

Is there anything else in that 1 New Year 5 folder? If not, just delete the folder.
Delete the wmplayer.exe file, then download and re-install Media Player from MS.

Any other problems with the PC now? You originally set out to re-install IE. Still wanting to do that, or feel you need to?

I think a defrag at this time would be appropriate also.

 

I do believe my hard drive is looking good. It has been a long haul here. But with your guidance of software usage, deleting files, and so on, I am on my way to a brighter day of internet usage.
I did run defraf as suggested. I am going to leave IE alone as all is well. I am looking to upgrade computers sometime this fall as well as ISP. Hopefully I can leave IE in the dust.
Your patience and knowledge is greatly appreciated. Sure glad BBS forum is here for some place to ask questions. Too technical for me and others.
Many, many thanks to you and all in the forum.
Claire B

 

I'm very happy to have helped, Claire.