Need some help with a browser hijacker

I'm trying to help a friend with his PC, which had a whole bunch of spyware and viruses on it. I've run Spybot and Adaware, installed and run AVG and cleaned up everything they found. There are two remaining problems that I haven't been able to get rid of;

1. The browser home page keeps reseting to www.windowws.cc/hp.htm and I can't get it to reset.

2. Outlook Express doesn't work any more. When you try to open it a message pops up saying 'Outlook Express could not be started because MSOERES.DLL could not be found. Outlook Express may not be installed correctly'. I have checked in the OE folder and the file is there.

I did a cleanup on the hard drive and ran scan disk and defrag. I'm posting the HJT log in hopes that someone will see something that will help the two remaining problems. I'm not sure the second one is related to the spyware/virus problems he had, he said it just stopped working a couple days ago.

Any help would be greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 5:19:03 PM, on 9/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMON32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\DR33VYLRXETR94.EXE
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\MAGICKEY.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\EXTRACT2\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\5FBI3B~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRA~1\MINDSP~1\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe "
O4 - HKLM\..\Run: [Mmgsvc] C:\WINDOWS\mmgsvc.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [0m9x5m12ka] C:\SYMANTEC\LRP0915VJ4.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Mmgsvc] C:\WINDOWS\mmgsvc.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\DR33VYLRXETR94.EXE
O4 - Startup: Magic Keyboard.lnk = C:\Program Files\WAYTECH\Magic Keyboard\MAGICKEY.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...a2f745d64562:c31e3730b38c174130e1e2729109a237
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025960.exe
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab

 

Not surprised you had trouble keeping things clean.

First comment is that after all the fixing is done, try add/remove programs and try to repair IE. That may well get OE working again.

Next - to fix the baddies (and as usual, items in green are legit but not needed at startup so 98 should run better with the green entries removed)

Run HJT, scan, and check to fix
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=9
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
(broken but was associated with TV Media spyware so needs to go)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\5FBI3B~1.DLL
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
(legit item if running PCTel modem although not essential to run at startup. Otherwise, probably from a virus)
O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRA~1\MINDSP~1\AccessRamp\ARMon32.exe
(Monitors your progress on the internet; hang-ups, connection speeds, internet congestion and traffic flow. Said to prevent some games from running also. Not essential)
O4 - HKLM\..\Run: [WinInit] Win86.exe
(TrojanDownloader.Win32.Small.pj)
O4 - HKLM\..\Run: [WinLogin] win32x.exe
(Worm_sdbot.)
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe "
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...1e 2729109a237
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025960.exe
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab

Don't know about these and unless you are sure they are legit, I'd get rid of them. Check for entry removal with HJT and then delete the files. Also, with one strange .exe in that c:\symantec folder, I'd be interested in any other files you find there.
O4 - HKLM\..\Run: [Mmgsvc] C:\WINDOWS\mmgsvc.exe
O4 - HKLM\..\Run: [0m9x5m12ka] C:\SYMANTEC\LRP0915VJ4.EXE
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\DR33VYLRXETR94.EXE

Boot to safe mode, set windows explorer to show all files (including hidden) then delete
C:\WINDOWS\SYSTEM\5FBI3B~1.DLL (or anything that starts that way since the full filename may be different)
Promon.exe
Win86.exe
win32x.exe
C:\PROGRAM FILES\WEB_REBATES (folder and contents)
C:\PROGRA~1\Web Offer (folder and contents)

Might be a real good idea after you reboot to normal mode to run an online AV scan too.

As usual, post a new HJT log when all the above is done so we can look for remaining traces or stubborn junk that came back.

 

Hi Newt,

Thanks for the reply. I will post back after completing the cleanup you suggested.

 

Newt,

Here's the new HJT log after the cleanups you suggested. I haven't tried an online AV scan yet as I want to be sure I have it as clean as possible otherwise first.

Thanks again,

Bill

 

Also

Download, then close all open windows and run CWShredder 1.59.1
http://www.net-integration.net/tools/hijackthis.html#cwshredder <<from there Click Fix, don't just scan. You have a CoolWebSearch component which it will remove.If you already have it, just download another copy and overwrite the old one..To ensure its the latest version.

Then restart the PC

When back scan and repost another Hijackthis Log

 

Oops, I forgot the HJT log. Here it is.

Logfile of HijackThis v1.98.2
Scan saved at 6:57:08 PM, on 9/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\MAGICKEY.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\EXTRACT2\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Magic Keyboard.lnk = C:\Program Files\WAYTECH\Magic Keyboard\MAGICKEY.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O15 - Trusted Zone: *.greg-search.com

 

All I see is this, do fix it

O15 - Trusted Zone: *.greg-search.com
==============================
I think you wil like IE 6 sp1, best go get it !!

 

Lonnie - was that thing in c:\symantec the coolweb piece?

 

Im not sure

The trusted site alone is enough for me to think its coolweb, then the R was an indication. plus those strange exe's that look like a viri/worm or trojan.

I think that symantec entry is actualy symatec, but one of its old program's,

 

Lonny and Newt,

Here is the latest HJT log. Something else that's kind of funny. When I run Spybot and Adaware, they both still flag entries for CoolWebSearch and something called Ezula. If I tell them to fix the problem and reboot, they still show up on the next run. Do you have any ideas on why that is happening?

HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:53:02 AM, on 9/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\MAGICKEY.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WAYTECH\MAGIC KEYBOARD\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\EXTRACT2\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Magic Keyboard.lnk = C:\Program Files\WAYTECH\Magic Keyboard\MAGICKEY.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE

 

If Ezula was istalled at some point or still is try its uninstaller in addremove program,s.

I assume you have updated AVG and ran a full system scan ?
If it cannot handle a problem run it while in safe mode.
In addition to that get two free onlines, it takes awhile but is certainly worth the peace of mind.

Trend Micro-Free online Scan: http://housecall.trendmicro.com/
check all box's except [ ]auto clean !!, scan and if it cannot clean tell it to delete found files !!
BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
then have it delete the file if it cannot clean/repair/cure it,
turn off any PopupBlockers before accessing the site:
http://www.bitdefender.com/scan/licence.php
If there are any problems Copy its report back here please.

Make sure SpyBot is indeed version 1.3 and updated, also ad-aware SE ver 1.04 and also updated ?
If your friend is fixing things with hijackthis without telling us have them stop, we need to see it all.

Post a new log if needed.

 

Lonny,

I have the PC here at my house doing the cleanup on it. I updated SpyBot and Adaware and ran scans with both first, then installed, updated and ran AVG. I also ran CWShredder which didn't find anything to fix. That's when I decided I better post the HJT log. I've been doing the cleanups that you and Newt have suggested, I decided to run SpyBot and Adaware again just to see if they found anything. When they did I was surprised, so I told them to fix the problems, rebooted and ran again. They still found the same things.

I'm trying to run an online virus scan with Housecall now, but it's via dialup and is very sloooooow. I didn't see Ezula in the Add/Remove programs list, so I don't know what to think about that.

I'll post back after the online AV scan with the results and a new HJT log if different from the last one posted.

Again, thanks very much for the help.

 

Lonny,

I ran the housecall scan and bitdefender, housecall found 10 infected files in the windows and windows\system folders which had to be deleted, and bitdefender found 13 files, all were deleted. This kind of makes me suspect of the free AVG, shouldn't it have found these same files? I have been recommending it to everyone in lieu of Mcafee and Norton because it is less overhead intensive than either of those. I'm beginning to wonder if I was wrong.

Let me know if you see anything else in the HJT logs. It seems that for the most part the system is clean, at least to me. I still need to get OE working again, I'm going to try the repair that Newt mentioned today to see if it works.

Thanks again,

Bill

P.S. - The IE repair didn't help OE. I'm wondering if an uninstall/reinstall is the answer?

 

If you got get IE6 with sp1 that should repair the problems for you.

I use avg and recommend it to, Norton in my mind is the worst offenor for not detecting some nasties.

an online once and awhile is in order whatever program you have onbourd.

 

Lonny and Newt,

I got OE fixed by uninstalling/reinstalling it. If you guys think the last HJT log looks good, I think the PC is ready to return. I can get online with it and the browser home page is fine, his email is working again also. Let me know what you think about the log and if more clean up is needed.

Lonny, thanks for the reply on AVG. I guess none of the AV programs catch everything.

Thanks again,

Bill

 

I suggest several visit's to windows update before you take it back

 

Lonny,

Thanks for the advice, I'll check it out before I return it. It seems to be running a lot smoother now, thanks to you and Newt. I really appreciate the help.

Would either of you mind taking a look at this other thread I have open and sharing your opinion of that HJT log?

http://www.windowsbbs.com/showthread.php?t=34864


Thanks again for the help.

Bill