Strange programs running

Results of HiJackThis scan.

Logfile of HijackThis v1.97.7
Scan saved at 10:10:30 PM, on 2/26/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NAV\HOTKEY.EXE
C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE
C:\WINDOWS\SYSTEM\EXSHOW95.EXE
C:\WINDOWS\SYSTEM\EXSHOW.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\MYWAY\BAR\6.BIN\MWSOEMON.EXE
C:\PROGRAM FILES\RRIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmyrequest.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = road runner
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://searchmyrequest.com/hp.php
F1 - win.ini: run=C:\windows\options\systools\cyxid98.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWAY\BAR\6.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWAY\SEARCHAT\6.BIN\MWSSRCAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - C:\PROGRA~1\WIN32.DLL (file missing)
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWAY\BAR\6.BIN\MWSBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FontFix] c:\windows\options\systools\fntfix.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWAY\BAR\6.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [ga5f6o3380] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [j2ak27x60u] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [lxekrorer7] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [bu8xxip27l] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [8ez6l8hvze] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [u9skdxmbxc] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [vybiwtrj7g] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [airydx6gds] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [eu3uyofpyg] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [hl85jbnb77] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [3ox732m893] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [ionmdrid22] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [4474h71aao] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [2g9ig9ymb6] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [bfdih1wbim] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [b7aytg5m02] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HOTKEY] C:\PROGRA~1\NAV\hotkey.exe /AUTO /BAR
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\REALVNC\WINVNC\WINVNC.EXE" -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\RRIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {387112EE-5396-11D2-9DB8-006008D19B33} (StartPageChanger Class) - http://www.nycap.rr.com/SetStart.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1047430834390
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://us3.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www116.coolsavings.com/download/cscmv5X.cab

 

I edited your thread heading, it was borderline objectionable.
Remove all R1 and R0 entries.
Remove these.
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} - C:\PROGRA~1\WIN32.DLL (file missing)
O3 - Toolbar: My &Way Speedbar - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWAY\BAR\6.BIN\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWAY\BAR\6.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [ga5f6o3380] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [j2ak27x60u] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [lxekrorer7] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [bu8xxip27l] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [8ez6l8hvze] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [u9skdxmbxc] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [vybiwtrj7g] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [airydx6gds] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [eu3uyofpyg] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [hl85jbnb77] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [3ox732m893] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [ionmdrid22] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [4474h71aao] C:\WINDOWS\WFPT7SA5WI.EXE
O4 - HKLM\..\Run: [2g9ig9ymb6] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [bfdih1wbim] C:\WINDOWS\4S4OKTDFNB.EXE
O4 - HKLM\..\Run: [b7aytg5m02] C:\WINDOWS\WFPT7SA5WI.EXE
O16 - DPF: {387112EE-5396-11D2-9DB8-006008D19B33} (StartPageChanger Class) - http://www.nycap.rr.com/SetStart.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www116.coolsavings.com/download/cscmv5X.cab

Visit housecall and trojan scan below. Get Spybot, update and then do the scan, remove all already checked off.

 

Mark, Thanks for your reply. First let me say I had no intentions of being objectionable with my post, but, after looking at my abbreviation for "follow-up" I can see your point. Sorry.

I did what you and Lonny suggested and now everything seems to be back to normal on my friends computer. Because this trojan replicated itself on startup, I had to go back and restore the registry to an earlier date. Iwas able to restore it to when he first was infected and by closing these programs down was able to run all the scans to correct the problems. Seems this all started when his Avast license expired and he never told me. Hence, no anti-virus protection. What can you expect from someone who spent 50 yrs as a head-hunter for economists. This fella is in his late 80's and does not want to learn anything about computers, but convinced him to put in a firewall.

Thanks Mark & Lonny

 

after looking at my abbreviation for "follow-up"

I missed the original before it was 'fixed' but I did get a chuckle thinking about what you might have posted - and without really thinking about it.

 

Your welcome, mrfixit62!
I am sorry about the misunderstanding of your intention of the abbreviation.
All's well that ends well.
In retrospect, I should have merged this thread with the other one but missed the connection between the two. I will leave well enough alone for now, as the context could be lost.
Any thoughts on this, Newt?

 

Thoughts about getting an 80 y/o to keep his PC protected?

I think I'd look him directly in the eyes and tell him he either needed to keep an up-to-date firewall /w up-to-date AV, get web TV, or give it up and just go fishing.

I notice the OS is Win98. Good and stable but unfortunately no good way to schedule things like AV updates. If he has adequate income, maybe worth getting XP since it will schedule things and can be made to look very much like his present OS does.