Need some help with another HJT log

I had another friend drop off his PC at my house today with trouble getting on the internet. Spybot, Adaware and AVG all cleaned up some things but I think there's more. Here's the HJT log, if someone would take a look at it and let me know I would appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 5:27:18 PM, on 10/26/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\HPGS2WND.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\HPGS2WNF.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SONY\SONICSTAGE\SSAAD.EXE
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\MAGICKEY.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\TMP\SPYWARE_FIREWALL_ANTIVIRUS STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\OEMJI\TOOLBAR\POPUPBLOCKER\PBHELPER.DLL
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\PROGRAM FILES\OEMJI\OEMJISEARCHPLUS\OEMJIPLS.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\PROGRAM FILES\OEMJI\TOOLBAR\OEMJISRC.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [xizsfwp] C:\WINDOWS\xizsfwp.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRAM FILES\SPYSPOTTER3\SPYSPOTTER.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - Startup: Magic Keyboard.lnk = C:\Program Files\WAYTECH\Magic Keyboard\MAGICKEY.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.crazywinnings.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

 

AOL is the worst issue on this PC to my mind but that's because I am a bit of a bigot. I normally ignore problems on any PC that is using it but I guess I'm feeling mellow this evening.

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
Check file properties. Should be for a PCTel modem. Also, if the user doesn't have one the file/folder is not needed anyway and certainly not at startup.

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
Baddie. VX2 (new stuff) adware/spware. Removal instructions
http://www.greatis.com/appdata/d/f/ffisearch.exe_Removal.htm
and since it is often associated, check this next one too
http://www.greatis.com/appdata/d/_/_sysdir__ffisearch.exe_Removal.htm

O4 - HKLM\..\Run: [xizsfwp] C:\WINDOWS\xizsfwp.exe
Baddie but the name seems to be random. Kill the entry. Remove any file by that name.

O4 - HKLM\..\Run: [SpySpotter] C:\PROGRAM FILES\SPYSPOTTER3\SPYSPOTTER.exe -startup
You read the link below and decide. I'd absolutely get rid of the startup option and the app itself as well. There are good, reliable, non-sleaziod spyware killers out there but this one isn't.
http://castlecops.com/startuplist-5901.html

O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.crazywinnings.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
Either left over from a previous critter or possibly spawned by one you still have. HJT will remove them from the Trusted Zone if you check them and you certainly should.

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.c...es/MsnPUpld.cab
Get rid of this one on general principals. Any 016 entry will be rebuilt as needed while browsing and you can assume the new one is current and clean.

After the above is done, I suggest a general cleanup/tweakup for the PC and since you work on the things for others, keep this for future use. Good for any 9X/ME system that starts having any sort of odd issues and about once a month just to keep things running well.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

General clean-up instructions for Win95/98/ME

• Open a browser window and dump all TIF (temporary internet files) and cookies. Close.
• Open windows explorer and
  .. delete the contents of all temp folders
  .. delete any files in c:\ with a name filennnn.chk (where nnnn is any number so file0001.chk, file1034.chk, etc)
• verify that you have fewer than 500 files & folders directly under c:\. If you are close to that number, remove or move some files.
• empty the recycle bin
• boot to DOS
• from the command prompt do the following
  .. scanreg /fix <ENTER> (press the ENTER key)
  .. scanreg /opt <ENTER>
  ****note that 95 does not have scanreg.exe but a copy from 98 or ME will run fine if you can get one
  .. scandisk c:\ /nosave /autofix /surface <ENTER>
  .. Win /D:M (forces a safe mode windows start)
• Run another scandisk (start~programs~accessories~system tools) and check for a standard scan and to fix all errors found. The DOS scan couldn't check for long file name issues.
• Run a defrag
• Reboot to normal Windows.

 

Hi Newt,

Thanks for taking a look at this for me (BTW, I feel the same way about AOL). I'll follow your instructions and post back with new log when I'm done.

I just returned the other PC last night and got this one while at work today. When it rains it pours sometimes.

 

Newt,

I ran HJT and deleted these entries;

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O4 - HKLM\..\Run: [xizsfwp] C:\WINDOWS\xizsfwp.exe
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.crazywinnings.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)

I rebooted the PC and windows setup started to run. It asked for the key (which fortunately was on the side of the case), I tried to cancel out but it said that windows would shutdown if I canceled. I entered the key and it said to complete setup I needed to restart and I pressed 'finish'. When the PC restarted, it displayed the logon window, I clicked on cancel and I got the message 'this program has performed an illegal operation and will be shutdown'. The program is explorer, and in details it says that explorer caused an invalid page fault. It does the same thing in safe mode, so I can't get a desktop to load. I can only boot to a DOS prompt.

Do you have any idea what might have happened or which entries that I deleted might have caused this?

 

Newt,

I tried the cleanup steps you recommended (at least the DOS ones) but it hasn't helped. Do you have any ideas how I can get this back to the desktop?

 

I don't know for sure. It sounds like the GUI OS is at least partially trashed.

Normally with that version you can install over the existing OS and it will behave the same way a repair install does in XP - put things back to working without data loss. Normally.

After the infection and repair, it might trash the original OS and just replace with a new one sans any installed software.

 

The PC is an Acer Veriton 7100, it has a recovery CD kit like the other OEM's. Right now I have the drive hooked up in my PC and I'm copying everything except the windows folder to my drive in a separate folder for backup. I'm going to put the drive back and run the recovery disk and see if it has a repair option. Hopefully it will and he won't have to reinstall all his software. The important thing right now is backing up the data files.