various popups, winfixer, surf accuracy...help [HJT log]

Hi guys,

I'm back and infested again. This time it's even worse because I can't get hijackthis to run. It just gives an "unexpected error" and crashes. I have tried in safe mode as well. I ran a scan with trendmicro's free virus scanner and read instructions to remove all the bad stuff I had. But, I just left my computer for about 10 minutes and had 9 pop-ups. Also, AVG is detecting viruses as I surf, very often.

Here's the scoop, I have Win98, I can't run hijackthis (the new version), but I could run the older version (which I don't have anymore). Is there anyway you guys can help me without a log? I don't know what to do, and I need to get this cleaned up.

Thanks in advance. If I can find an older version of hijack this, I will post a log.

 

I got a log from a version of hijackthis, I hope it helps.

Logfile of HijackThis v1.97.7
Scan saved at 11:09:12 PM, on 9/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TEMP\UNINSTALL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\BUNDLEP.EXE
C:\WINDOWS\EXE81.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\X4SJHLK9\HIJACKTHIS[1].EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O2 - BHO: (no name) - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\SYSTEM\QLINK32.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [0.59] C:\WINDOWS\EXE81.exe
O4 - HKLM\..\Run: [immin] C:\WINDOWS\MM15201518.A.STUB.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://webcamnow.com/voice/voice.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c361.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.com/cpi/grinstall_cpi1001.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

Thanks in advance.

 

question

Is there not a way to help me with this version of hijack this, I was just glad to get a version to run period. Is there something else I can do? I really need this pc. Please help.


Note: I had to disable win.ini, system.ini and startup programs in order to keep my mouse from freezing on startup. I know it is not a conflict that is making the mouse freeze, but some program in the background. it's very annoying and I usually have to disable everything, then re-install my video driver to get it working again. I only mention this, because I noticed in another forum that someones hijack this log was not complete due to that stuff being disabled. I can't enable it or my pc locks up and I have to reboot. I have checked for strange stuff in win.ini and in system.ini and found nothing that would cause this.

 

Go to my computer , open it by double click, go to view/ folder options .
Set to show hidden and system files
Uncheck hide known file extensions.


You have a look2me infection.
This particular hijackthis version may not yeild the information we need to properly identify it.

Download and Install the free version of Ad-aware - Software - Lavasoft:
After installation-CHECK FOR UPDATES
run this later

Next would you please download the VX2 plugin for Ad-Aware after you have updated
http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml
Install it,but don't run it yet





After Reboot Open Ad-Aware
Go to "Plug-insâ€
Select the VX2 Cleaner plug-in and click "Run Pluginâ€
If your computer isn’t infected, click "Closeâ€.

If your computer is infected

Select "Clean Systemâ€
Reboot your computer
Scan your computer with Ad-Aware
Set these additional options for a custom scan
click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal "

Scanning > activate these: "Scan within archives ", "Scan active processes ", "Scan registry ", "Deep scan registry ", "Scan my IE Favorites for banned sites" and "Scan my Hosts file "

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning. "

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot. "

Click "Proceed" to save your settings, then click "Start ", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next ". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue? ".
RESTART your computer

You have trojan Dyfuca
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453093995
Removal instructions
\And here
After completing them, have hijackthis fix this entry
O4 - HKLM\..\Run: [immin] C:\WINDOWS\MM15201518.A.STUB.EXE
and manually locate and delete the file
C:\WINDOWS\MM15201518.A.STUB.EXE

You have adware delfin project
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
Remove with hijackthis after following the manul instructions at symantec
http://securityresponse.symantec.com/avcenter/venc/data/adware.delfin.html
MAKE SURE TO FOLLOW ALL REMOVAL AND REPAIR INSTRUCTIONS.
Make sure to delete the listed folders
C:\WINDOWS\SYSTEM\nsvsvc
and
C:\WINDOWS\SYSTEM\VIDCTRL

Run Hijackthis with all other windows closed and select the following and choose fix
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file)
(This is a leftover from Download Accellerator Plus. Appears uninstalled)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O2 - BHO: (no name) - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\SYSTEM\QLINK32.DLL
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O4 - HKLM\..\Run: [0.59] C:\WINDOWS\EXE81.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...bridge-c361.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c...all_cpi1001.cab

Empty recycle bin, delete temp and temp internet files
Reboot and download and run latest version of hijackthis
Download it from majorgeeks

 

Hi, thank you for helping me.

I am still having a popup problem, but it doesn't seem to be as bad. Also, I ran an AVG scan and found several viruses (14) in temporary internet files. I deleted them and the stuff in that folder. I am still having no luck running the latest version of hijackthis...I keep getting an "unexpected error" message as soon as I click the executable.

I downloaded the tool for Adaware and it found nothing.
Also in terms of dyfuca I found nothing but a few registry entries, I found no actual files.

So it appears that I cannot run the latest hijackthis version for some reason. I have seen online where people are having this problem, but I have not seen a solution. Is there anything else I can do now. I am still having popups, 3 since I started typing this.

Again, thanks for your help.
1MT

 

Okay, we will try a different (older) method

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


Launch IE and paste the following into the address bar and press enter
Javascript:navigator.userAgent

Please copy what it displays and post here.





What we are trying to do is find a secret hidden file which this installs so we can remove it.

 

Hey, thanks again.

I downloaded the file but it won't work with 9x (gives me an error message). I downloaded the 14 day trial of spy sweeper from webroot, and I think it might have gotten everything. I ran it in safe mode, because it kept locking up and ran the program and it caught a bunch of stuff, including the infamous winfixer. I have been on the net for a while now, and I haven't gotten any popups...so hopefully now i'm cured.

I would like to be sure though, so if there is anything else you can recommend it would be appreciated. I know we are running out of options. I can't thank you enough for helping.

 

I keep forgetting to tell folks to get the standard antispyware programs and run in safe mode first.

Does this show anything?
Launch IE and paste the following into the address bar and press enter
javascript:navigator.userAgent

There should be one line like
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

If there is anything about a dll , I need to know.

I just got to thinking, you have win98 and all this trouble with removing it is in XP. If you do not have a dll showing in the javascript thing, you are clean.

 

1mt, download the Visual Basic 6 Service Pack 5 runtime files, and install it, and see if HJT will work.
http://www.microsoft.com/downloads/...f9-b5c5-48f4-8edd-cdf2d29a79d5&displaylang=en