Tech Support Guy banner
Cancel

Windows 98 Operating system popup ads and slow

Jump to Latest Follow
Status
Not open for further replies.
1 - 20 of 47 Posts
S

· Registered
Joined
·
42 Posts
Discussion Starter · #1 ·
I finally successfully downloaded and ran hijack this the log is posted below. This system is on an older computer, and has had no maintenance in long time.
Thanks
Sunshine 2

Logfile of HijackThis v1.97.7
Scan saved at 3:39:25 PM, on 3/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOCALNET\FPTOOL.EXE
C:\PROGRAM FILES\LOCALNET\MSNGR\FPMSNGR.EXE
C:\WINDOWS\AUSVC.EXE
C:\WINDOWS\BVT.EXE
C:\WINDOWS\PMR.EXE
C:\PROGRAM FILES\LOCALNET\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\TVTMD.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DRWATSON.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allcybersearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allcybersearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allcybersearch.com/ie/
R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=hpfsched
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IECOMP.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Total Internet] C:\PROGRAM FILES\LOCALNET\FPTOOL.EXE
O4 - HKLM\..\Run: [Total Internet Messenger] C:\PROGRA~1\LOCALNET\MSNGR\FPMSNGR.exe
O4 - HKLM\..\Run: [ausvc] C:\WINDOWS\ausvc.exe
O4 - HKLM\..\Run: [SysScan] C:\WINDOWS\bvt.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\pmr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\LocalNet\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.reg
O4 - HKLM\..\Run: [MemoryMeter] C:\PROGRAM FILES\MEMORYMETER\MEMORYMETER.EXE
O4 - HKLM\..\Run: [TVTMD] C:\WINDOWS\TVTMD.EXE
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: >>> Search The Web <<< - javascript:var txt=window.external.menuArguments.document.selection.createRange().text;if(txt!=''){window.external.menuArguments.document.location='http://www.allcybersearch.com/ffeed.php?term='+txt;}else{window.external.menuArguments.document.location='http://www.allcybersearch.com/';}
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.memorymeter.com/MemoryMeter.cab
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download/iegator_4090_hd3ptdmgainads.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} (PdpPi Class) - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
 
S

· Registered
Joined
·
42 Posts
Discussion Starter · #5 ·
mobo
I downloaded the housecall application and ran the scan.It came up with 13 infected files. They were labeled unclearable, and when I tried to delete them, of course I was unable to do so.
Next step?
Sunshine2
 
S

· Registered
Joined
·
42 Posts
Discussion Starter · #6 ·
Sunshine 2 back again. I was finally able to execute housecalls application. I deleted to Trojan viruses, but one remains and it says it is uncleanable. TROJ SUA A c:\windows\temp\acid281.t...

After I ran housecalls I reran hijack this the log is posted below.
Please advise.

Logfile of HijackThis v1.97.7
Scan saved at 7:32:41 PM, on 3/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\AV\INOCULATEIT\INOTASK.EXE
C:\AV\INOCULATEIT\INORT9X.EXE
C:\AV\INOCULATEIT\INORPC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOCALNET\FPTOOL.EXE
C:\PROGRAM FILES\LOCALNET\MSNGR\FPMSNGR.EXE
C:\WINDOWS\PMR.EXE
C:\PROGRAM FILES\LOCALNET\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOGWAT95.EXE
C:\AV\INOCULATEIT\REALMON.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session={C523F0D4-8475-49BD-A429-1BC3D1B3212B}&version_id=22
R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F1 - win.ini: load=C:\PROGRA~1\INTERN~1\ptsnoop.exe;C:\WINDOWS\ptsnoop.exe;C:\WINDOWS\COMMAND\ptsnoop.exe;C:\WINDOWS\SYSTEM\ptsnoop.exe
F1 - win.ini: run=C:\PROGRA~1\INTERN~1\hpfsched.bat;C:\PROGRA~1\INTERN~1\hpfsched.exe;C:\PROGRA~1\INTERN~1\hpfsched.com;C:\PROGRA~1\INTERN~1\hpfsched.scr;C:\PROGRA~1\INTERN~1\hpfsched.vbs;C:\WINDOWS\hpfsched.bat;C:\WINDOWS\hpfsched.exe;C:\WINDOWS\hpfsched.com;C:\WINDOWS\h
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IECOMP.DLL
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Total Internet] C:\PROGRAM FILES\LOCALNET\FPTOOL.EXE
O4 - HKLM\..\Run: [Total Internet Messenger] C:\PROGRA~1\LOCALNET\MSNGR\FPMSNGR.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\pmr.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\LocalNet\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
O4 - HKLM\..\Run: [Realtime Monitor] c:\av\inoculateit\realmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [InoTask] c:\av\inoculateit\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] c:\av\inoculateit\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] c:\av\inoculateit\InoRpc.exe
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE
O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: >>> Search The Web <<< - javascript:var txt=window.external.menuArguments.document.selection.createRange().text;if(txt!=''){window.external.menuArguments.document.location='http://www.allcybersearch.com/ffeed.php?term='+txt;}else{window.external.menuArguments.document.location='http://www.allcybersearch.com/';}
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38067.4518981481
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
 
mobo

· Registered
Joined
·
16,832 Posts
#7 ·
Rescan and put a check next to each of these then close all browser windows and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - URLSearchHook: TvmBho Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IECOMP.DLL

O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\TV MEDIA\TvmBho.dll

O
O4 - HKLM\..\Run: [absr] C:\WINDOWS\pmr.exe

O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE

O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE

O8 - Extra context menu item: >>> Search The Web <<< - javascript:var txt=window.external.menuArguments.document.selection.createRange().text;if(txt!=''){window.external.menuArguments.document.location='http://www.allcybersearch.com/ffeed.php?term='+txt;}else{window.external.menuArguments.document.location='http://www.allcybersearch.com/';}

Then reboot into safe mode and delete :
C:\TV MEDIA\TVM.EXE
C:\WINDOWS\pmr.exe
 
S

· Registered
Joined
·
42 Posts
Discussion Starter · #8 ·
mobo,
Tried to execute hijack and delete files as directed. Hijack would not respond. I was able to get the download, and run the scan, but when it came to "fix checked" the system would not respond.

Any idea why? What next?

Sunshine2
 
S

· Registered
Joined
·
42 Posts
Discussion Starter · #10 ·
mobo,
I downloaded hijack this, ran the scan, placed a check next to the files you identified to fix, then clicked on "fix checked". I waited and waited and nothing happened. I then did a
control, alt, delete and the window came up and stated that "hijack this was not responding". I tried several times to execute this function and the same thing happened. Did I do something incorrectly? The computer was idle, nothing happened.

Sunshine2
 
S

· Registered
Joined
·
42 Posts
Discussion Starter · #16 ·
mobo,
I did as instructed....hijack this still not responding.
I also dowloaded the last application and when I tried to use it
says it is not there. I saved it to an icon on desktop and no file exists. Below is message:

coolwwwsearch smartkiller (v1/v2) has nt been found on your system
Sunshine2
 
S

· Registered
Joined
·
42 Posts
Discussion Starter · #18 ·
mobo,
Sunshine 2 back again.
I reran the Housecalls application again and got two messages:

The Backdoor/Autoupder virus was detected in C:Windows\Temp\v3P02EA25725
File status deleted because of Trojan Worm infection

The Win32\Dumpex Downloader.Trojan virus was detected in
C:Windows\Temp\v3P02EA25727
File status deleted because of Trojan Work infection

Final message: Housecalls indicated all files were clean.

I then restarted the computer in safe mode and attempted to
run hijack this again. I ran the scan and tried to delete the two files indicated. No response.

Any other instructions???
 
1 - 20 of 47 Posts
Status
Not open for further replies.
About this Discussion
46 Replies
3 Participants
Last post:
mobo
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top