[chimpyboy]

So I'm trying to clean up an old computer (Win 95), and it's got lots of problems...I've run Norton AV and Spybot and CWShredder, which has cleaned out a lot of junk, but cannot install adawarese for some reason (probably cause the computer is old and crappy).

Anyway, here is the log, can anyone advise me on where to go from here?

Logfile of HijackThis v1.97.7
Scan saved at 10:15:43 AM, on 12/28/04
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MSBB.EXE
C:\PROGRAM FILES\WRUSVQT\QURQWP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\QTMH.EXE
C:\PROGRAM FILES\WRUSVQT\PWQRUQ.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\SYSTEM\kzpgapcv.exe
O4 - HKLM\..\Run: [bIpHSsox] C:\PROGRA~1\WRUSVQT\QURQWP.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [qtmh] c:\windows\qtmh.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [zzb] c:\Windows\System\zzb.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WebMail (HKCU)
O9 - Extra button: Weather (HKCU)
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - http://download.micr...N-US/msorun.cab

[Advertisements]

Welcome to GeeksToGo.

We apologize for the delay in response. The forums have been very busy lately.

This is the first time I have seen a Windows 95 HijackThis log.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Visit this site for instructions on how to remove CommonName:

http://www.commonnam...lt.asp?idx=10#4

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\SYSTEM\kzpgapcv.exe
O4 - HKLM\..\Run: [bIpHSsox] C:\PROGRA~1\WRUSVQT\QURQWP.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [qtmh] c:\windows\qtmh.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [zzb] c:\Windows\System\zzb.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O14 - IERESET.INF: START_PAGE_URL=

Reconfigure Windows XP to show hidden files:
Double-click on the My Computer icon.
Select the View menu and then click Options.
After the new window appears select the View tab.
Scroll down until you see the Show all files radio button and select it.
Press the OK button and close the My Computer window.
Now your computer is configured to show all hidden files.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WinFavorites

Please delete these folders using Windows Explorer(if present):

C:\PROGRAM FILES\WINFAVORITES
C:\Program Files\WRUSVQT

Please delete these files using Windows Explorer(if present):

c:\windows\msbb.exe
c:\windows\qtmh.exe
C:\WINDOWS\SATMAT.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\kzpgapcv.exe
c:\Windows\System\zzb.exe

Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan.

[LineOFire]

Welcome to GeeksToGo.

We apologize for the delay in response. The forums have been very busy lately.

This is the first time I have seen a Windows 95 HijackThis log.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Visit this site for instructions on how to remove CommonName:

http://www.commonnam...lt.asp?idx=10#4

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O4 - HKLM\..\Run: [msbb] c:\windows\msbb.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\SYSTEM\kzpgapcv.exe
O4 - HKLM\..\Run: [bIpHSsox] C:\PROGRA~1\WRUSVQT\QURQWP.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe
O4 - HKLM\..\Run: [qtmh] c:\windows\qtmh.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [zzb] c:\Windows\System\zzb.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O14 - IERESET.INF: START_PAGE_URL=

Reconfigure Windows XP to show hidden files:
Double-click on the My Computer icon.
Select the View menu and then click Options.
After the new window appears select the View tab.
Scroll down until you see the Show all files radio button and select it.
Press the OK button and close the My Computer window.
Now your computer is configured to show all hidden files.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

WinFavorites

Please delete these folders using Windows Explorer(if present):

C:\PROGRAM FILES\WINFAVORITES
C:\Program Files\WRUSVQT

Please delete these files using Windows Explorer(if present):

c:\windows\msbb.exe
c:\windows\qtmh.exe
C:\WINDOWS\SATMAT.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\kzpgapcv.exe
c:\Windows\System\zzb.exe

Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan.