[Niaren]

This system was a mess and still has some problems but is running better. First Cleanup removed 35.7mg, AdAwareSE removed over 300 entries, Spybot took another 30, CWS came up negative (coolweb showed up in both adaware and spybot), Trojan Remover pulled out and removed 10 different Trojans, TDS3 wouldn't update...uninstalled and reinstalled twice and it finally updated for today and I did a full system scan.

Since I'm familiar with my system, and eventhough I'm still working on my practice log #1....hehe....been busy cleaning this one....I put what I thought should be fixed....added any questions I have after the full log. Thanks in advance for your assistance.

Logfile of HijackThis v1.99.1
Scan saved at 7:28:55 PM, on 6/6/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\HP PRINTER SCANNER COPIER\BIN\HPOSTR02.EXE
C:\PROGRAM FILES\HP PRINTER SCANNER COPIER\BIN\HPOVDX02.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\SPYWARE PREVENTION\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\VerizonDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP Printer Scanner Copier 300 StartUp.lnk = C:\Program Files\HP Printer Scanner Copier\bin\HPOstr02.exe
O4 - Startup: MemTurbo.lnk.disabled
O4 - Startup: eBot.lnk.disabled
O4 - Startup: AntiCrash.lnk.disabled
O4 - Startup: NetTurbo.lnk.disabled
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.bankofamerica.com
O16 - DPF: {06D5218D-079C-11D3-B2D1-00A0C98684AC} - http://download.mcaf...wf/mghwinfo.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Proposed Fixes

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
This can/should be disabled, but I'm not sure how. It's also in the 04's, but I didn't leave it in as a fix. All recommendations pointed at disabling it rather than deleting.

C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
This is disabled on the control panel, but it keeps coming back....can it be deleted safely? It's not on my uninstall list, but is known for causing hangs and crashes. I go into Spybot and kill the process, but......

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

Home/Search pages (msn.com) never gets hijacked. Netscape is finally off this computer. Have a grandfathered acct w/ISP, so had to call them and get a workaround so I could uninstall Netscape, otherwise w/out it my connection died. Don't have yahoo except web mail acct. None of this is necessary.



O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab

Fix....no yahoo

Ok now....how'd I do?

I did verify the Rundll32.exe as an actual system file, but I kept getting a request to Rundll as an application....had to block it in the firewall and took it off the start page (run as an app that is), so now Rundll32.exe loads but I don't constantly get the request to run it as an application.....should I be worried that it always appears in the running processes?

Also, I made a huge BooBoo in SpyBot. I was looking through the Start Items to verify what files were actually running (disabled some) and my dog goosed me and I hit the mouse on the delete.....not too bad as it brought up a confirm menu, so I went to let both dogs out (idiot me didn't cancel it before leaving my desk)....Hubby doesn't know a thing about computers and thought he'd help me out by hitting OK *sigh*.

I did put it on my start menu for now so I can exe it before printing, but do you know how I can put it back on the startup? This is my C:\Windows\System\Spool32.exe so it's kinda necessary. Help!

Edited by Niaren, 07 June 2005 - 02:00 PM.

[Advertisements]

Checking and fixing this won't disable it?

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

For C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE, is this listed in msconfig? I think it's not, but check. If you can't even disable it from the settings itself, then try renaming that OSD.EXE file to OSD.EXE.OLD instead. That should prevent it from running.

rundll32.exe might be ok to be on all the time. I see you have a handful of programs running and I think rundll32 is showing up because of these. I don't have a lot of programs running and don't see it usually. If you want, try disabling all those unnecessary programs and see if rundll32 still shows up.

He was just trying to help out. OK, what was deleted there? Kind of confusing still. Spybot deleted?

Put what back to startup? Spybot? If you put it in the Startup folder it should startup.

And what's the question for C:\Windows\System\Spool32.exe?

Good job on the other fixes. Not harmful, but good to fix.

[greyknight17]

Checking and fixing this won't disable it?

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

For C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE, is this listed in msconfig? I think it's not, but check. If you can't even disable it from the settings itself, then try renaming that OSD.EXE file to OSD.EXE.OLD instead. That should prevent it from running.

rundll32.exe might be ok to be on all the time. I see you have a handful of programs running and I think rundll32 is showing up because of these. I don't have a lot of programs running and don't see it usually. If you want, try disabling all those unnecessary programs and see if rundll32 still shows up.

He was just trying to help out. OK, what was deleted there? Kind of confusing still. Spybot deleted?

Put what back to startup? Spybot? If you put it in the Startup folder it should startup.

And what's the question for C:\Windows\System\Spool32.exe?

Good job on the other fixes. Not harmful, but good to fix.

[Niaren]

Oh for the Spool32.exe.....that's the line that got zapped out of the startup menu for my computer....inside Spybot. Under Spybot, Advanced Mode, under Tools, you can look at all running processes, Bho's, browser pages, do IE Tweaks, see the System Internals (checks for registry problems...missing or misdirected shortcuts and such), System Startup, LSP's, uninstall info, etc, etc. I was under the System Startup and accidentally zapped the C:\Windows\System\Spool32.exe.

(That's what I accidentally clicked when my dog goosed me....the line was what was highlighted. I just didn't cancel the confirm delete menu.....hubby knew I was going nuts between all the demands on me, so he figured he'd help me out by hitting OK while I was turning out the dogs. I do wildlife rehab too...wolves and hybrids are my specialty...got 2 transients right now, plus mine, plus a longterm babysit. I take care of my Mom [Alzheimer's] fulltime, plus do contract work as a CSE [customer service evaluator], Artist/Photographer and write freelance. Add to that: Hubby doesn't drive, so I'm errand lady and chauffeur.....so I was initially upset, but I know he was just trying to help me out *sigh* Now I just have to fix it. )

I Think these (System Startup) are the files that are autoruns inside the autoexec.bat, but I can't remember. I stuck the system file (made a shortcut) Spool32.exe on my start menu so I could manually start it, but normally it only shows in the running processes as the file is normally hidden. Now, it doesn't startup with the computer automatically.....That's what got zapped from the System Startup. Lots of the DOS commands have changed over time, I know when I've explored under DOS, most of the basic commands and switches are the same, but many are different enough now that the ones I know, don't work, hehe. So, I'm terrified of of editing anything for fear of mucking it up. (I know I'm dangerous to my computer as I've lots of knowledge, but the knowledge is incomplete and/or outdated) So, I need to put it back where it was, but I'm not sure about how to do that exactly or even where it was - autoexec.bat or in the configuration. It's ok to tell me to check with someone else.....I know you work hard on this forum, and I don't want to add to your load if somewhere else is more appropriate to ask about this.

I will check the config.sys on my clunker and see if the OSD.exe is in there. No, it won't disable even in the control panel keyboard menu (I'm not even sure what it does honestly except for determining what fonts and colors are used for Marquee-style displays), but I'll try renaming it and see if that works. Actually, renaming it seems the simplest solution. So.....what if OSD.exe does show up in msconfig? Can I still just rename it in its folder, or do I need to do something else?

For O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe , That's what I wasn't sure of.....by hitting fix with HJT....I didn't know if it'd delete it or just disable it. So, do I just fix the 04 entry, or do I fix both the running process and the 04? I know if the change isn't a good one it can be undone by HJT, but I really don't want to create anymore new problems for myself out of ignorance.

And yes, I noticed I'd forgotten to shut down the partial post I was working on so my being on the web showed up....duh...silly me.....BUT Rundll32.exe is always in the running processes even with everything else turned off. Inside Spybot under System Startup, it has a switch /autorun after the path. So I'm sure that's why it's always in the running processes, but I'm not sure if that's normal. The machine is an old HP Pavillion 4440.....so it was on the edge of new technology. It also has an AMD K62 333 processor. Compressed drives were still pretty new when I got it, so it may be something that's required as a bridge.....I'm just not sure.

Ummm....I think that answers all the questions you had. I still have to check my email, review guidelines for my job tomorrow....ask any questions I have prior to tomorrow....Mom's morning routine.....then chauffeur to dentist and check on some items I have on consignment at the Nautical Antiques...close to the dentist, so I'll kill 2 birds w/one trip out, heh.....Have to flea bath, dematt and do general checks on my 2 transient animals....I have a flyer to complete and ready to present for late this afternoon....of course there's all the daily stuff for my mother, household and family.....already weeded the garden and started laundry, fed all the animals.....yard time....popperscooper duty.....put out trash and recycling.....so I probably won't be back to check anything till after evening routines: 8pm or so....so no rush. Thanks for the info on AVG and Zone Alarm.....hehe....those were the ones I was considering too! Not sure if I'll get to the switchover tonight, but....we'll see. And, yes, I'm familiar with grc.....I go there to check my system about once a month just to make sure I'm not leaking ......well....it'll be systems now. I also want to finish my first practice log, but that may get put off another day as well.....Anyway, I will check the forum here later tonight. Oh another aside....as I'm on my main system now.....all the little alerts and blocks from the firewall have stopped now that the other machine has been cleaned (mostly). I was getting them even when the clunker was turned off, but I haven't had any at all the past couple of mornings, so I think it was probably one of the trojans that got wiped......wierd though.....I didn't think they could do anything if the machine wasn't on.....hmmm.....still a puzzle, but at least it has stopped.

Thanks sooooo much greyknight17.....like I said, you're a sweetie, and I really appreciate your care and attention to my little computer mess(es). Thanks too for the ref to TDS3.....pretty cool program....I'm still exploring it, but just what I've seen so far is amazing....lol....I like that it talks to me too!

You have a really GREAT day!

Tah, Niaren

[greyknight17]

Oh, ok I see what you mean now LOL. They shouldn't check all those entries for you So you hit Fix selected there and hubby clicked OK. Gotcha. Not sure if it's here, but go to the main spybot screen (when you open it), and click on Recovery button. Is it listed there? If so, try to undo it there. I see you're busy, busy, busy.

If it's in msconfig, then by all means try unchecking it first to see if that disabled it. But if not, renaming it should do. Just rename the OSD file.

No problem. When you do a fix for the O4 entries in HijackThis, the files will not be deleted. All that does (by fixing them) is that it disables the program/file from running at startup. You can look at this as if you actually went into msconfig and unchecked that entry.

BUT Rundll32.exe is always in the running processes even with everything else turned off.

OK, I'm not sure if that's normal for some users. I certainly don't have this process running all the time. I don't recall the last time I saw this actually, but it's definitely running some time since I remember seeing it before. Search for Rundll32.exe and see how many instances of that file you can find. Upload that file/files to this site and see what it reports back.

No problem Niaren. Again, you are very busy as we can all see. I'm just glad I could lend a helping hand. My doing all these things and also tring to help others with HijackThis log. That will be a 24 hour job In all seriousness, I'm glad you can handle all of these daily activities. I would have probably went nuts myself LOL.

Is there any update on this computer? Better or worse?

[Niaren]

Heh...I'm not usually so chatty, and I'm normally not so busy. Now if all my days were like that I would be bonkers, but they aren't thankfully. I did forget that I was in open forum though. Sorry.

I finally found the problem that was lingering in my main system. Had nothing to do with malware really. An online game I play had a corrupted patch in the client and many were experiencing patch problems with a new patch. Many were infected with malware, but since I knew my system was clean, and none of the Dev's work arounds were working or simply didn't apply....I went ahead and uninstalled the game, cleaned and defragged and reloaded it. *Poof* My system lag is gone and the game patched through just fine.

At least I now consider my main system sorted out.
I haven't gotten back over to my slave, but will do so later today.

Just thought you'd like to know.

Thanks again for all your assistance!
Niaren

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.