Help With Hijackthis Log Please

attached is a hijack log from a Dell computer. Attempting to clean it up. I find lots of malware on it with Norton, but it only removes and fixes "some" of them....leaves a long list still on computer.....(the update subscription is just up on this scanner, so there may be an update missing...would this let it leave the malware?) I have also ran spybot and it finds files each and every time I run it. This was a public library computer. No telling what people have tried on it! May just be due for a complete wipe out and restore, but I would like your report on this hijack log
thanks so much
Katy

Logfile of HijackThis v1.99.1
Scan saved at 4:17:27 PM, on 9/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ALOPU\BHBSUR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MEDIA GATEWAY\MEDIAGATEWAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SETTCOMM.EXE
C:\WINDOWS\SYSTEM\SHILE32.EXE
C:\PROGRAM FILES\APRPS\CXTPLS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ask.com/index.asp?origin=7019
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nemr.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ask.com/index.asp?origin=7019
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ask.com/index.asp?origin=7019
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Nemr.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\APRPS\CXTPLS.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [efalub] C:\WINDOWS\efalub.exe
O4 - HKLM\..\Run: [Okeuzvbc] C:\PROGRAM FILES\ALOPU\BHBSUR.EXE
O4 - HKLM\..\Run: [qpifkbsh] C:\WINDOWS\qpifkbsh.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Media Gateway] C:\PROGRAM FILES\MEDIA GATEWAY\MEDIAGATEWAY.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [os8V36R] SHILE32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe "
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [ZBr9RWd7P] SETTCOMM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = more.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 150.199.1.10,150.199.8.1,150.199.178.1

 

I will do as you advise as soon as I can.....I don't have the computer in my possession......I didn't realize I should have saved HJT before running the scan. I will do that first of the week and post it back in this thread. This computer is for sale by the library, but I was attempting to see if it could be cleanen up a bit before making an offer on it. ( I am doing this with their knowledge.) I figured there were nasties in it, but I am a long ways from knowledgeable about it also.
thanks
Katy

 

Please make sure you have moved hijackthis to a permanent folder such as C:\program files\hijackthis\hijackthis.exe
You will be deleting temp files and system restore as a course of your repair and this will delete hijackthis and its working files and backups if you do not move in now.



You have a wintools infection and a Vx2 infection amongst others.


Please go to add/ remove programs '
locate mediagateway , mediapass, or media access and uninstall.
http://securityresponse.symantec.com/avcenter/venc/data/adware.mediapass.html
Has more information.

Please download and install but do not run
Ad aware personal form Lavasoft
After installation-CHECK FOR UPDATES
get them.

Next would you please download the VX2 plugin for Ad-Aware after you have updated
http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml
Restart your computer
After Reboot Open Ad-Aware
Go to "Plug-insâ€
Select the VX2 Cleaner plug-in and click "Run Pluginâ€
If your computer isn’t infected, click "Closeâ€.

If your computer is infected

Select "Clean Systemâ€
Reboot your computer
Scan your computer with Ad-Aware
Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal "

Scanning > activate these: "Scan within archives ", "Scan active processes ", "Scan registry ", "Deep scan registry ", "Scan my IE Favorites for banned sites" and "Scan my Hosts file "

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning. "

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot. "

Click "Proceed" to save your settings, then click "Start ", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next ". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue? ".
RESTART your computer


Boot to safe mode (How to boot to safe mode.)
Run Hijackthis with all other windows closed . If you have broadband, disconnect the modem / ethernet cable.

Please put a check by the following and choose fix
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\APRPS\CXTPLS.DLL
O4 - HKLM\..\Run: [efalub] C:\WINDOWS\efalub.exe
O4 - HKLM\..\Run: [Okeuzvbc] C:\PROGRAM FILES\ALOPU\BHBSUR.EXE
O4 - HKLM\..\Run: [qpifkbsh] C:\WINDOWS\qpifkbsh.exe
O4 - HKLM\..\Run: [Media Gateway] C:\PROGRAM FILES\MEDIA GATEWAY\MEDIAGATEWAY.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe "
O4 - HKLM\..\Run: [os8V36R] SHILE32.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [ZBr9RWd7P] SETTCOMM.EXE



Go to control panel/ folder options/ view (or double click my computer/ choose tools / folder options)
on view tab, chose view hidden and system files
uncheck hide known file types.

How to show hidden files


Please delete these folders
C:\PROGRAM FILES\APRPS
C:\PROGRAM FILES\ALOPU
C:\PROGRA~1\COMMON~1\WINTOOLS
(C:\Program Files\Common Files\Wintools)
c:\Program Files\AutoUpdate

Delete these files
C:\WINDOWS\efalub.exe

You will have to do a search/ find files for this
SHILE32.EXE
and this
SETTCOMM.EXE
They are probably in C:\Windows or Windows\system
Delete them when found.

Delete your temp and temp internet files.
Locate the temp folder with windows explorer and delete the contents, but not the folder.
Go to IE, tools/ internet options/ general
delete files/ delete all offline content.

How to disable system restore
Please reboot to make sure windows works, disable system restore, reboot and reenable it .

Please run hijackthis again and post your new log.

 

thanks so much...I am printing out your instructions....when I get to the computer again I will try to carry them out and then post back. I have been really busy and have to be out of town next week. hopefully I can get to the computer before that. If not I will be back afterwards.
thanks again.....this is one of the BEST places to find answers to all problems and questions!
katy