Nellie2 or Mark2 please OK my efforts?

  Diemmess 10:51 02 Jan 05
Locked

G/daughter again. This time not QUITE so awful, but after last time I failed to make sure that all the updates and anti-spyware were used!

I have looked through this log and prefixed with * where I think a line should be fixed.

Does my modified log make sense, and after clearing everything conventionally, should I simply run Hijack again and fix these lines?

Log part 1

Logfile of HijackThis v1.99.0
Scan saved at 4:03:38 PM, on 1/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE

D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

*C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE

*C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE

*C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLIKEEP.EXE

*C:\TEMP\SALM.EXE

*C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE

C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

* Duplicated? C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

F:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

D:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

*O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} -

C:\WINDOWS\SYSTEM\MSBE.DLL

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

  Diemmess 10:57 02 Jan 05

O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

*O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [BtStart] C:\Program Files\WIDCOMM\Bluetooth Software\bin\btstart.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

*O4 - HKLM\..\Run: [Admilli Service] C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE

*O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

*O4 - HKLM\..\Run: [oxobsd] C:\WINDOWS\oxobsd.exe

*O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

*O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O14 - IERESET.INF: START_PAGE_URL=click here

*O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - click here

*O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - click here

*O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - click here

*O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - click here

  Diemmess 17:24 02 Jan 05

^

  mark2 18:27 02 Jan 05

hi Diemesse

Close all explorer and browser windows and Have Hijack this fix the following


O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll


O4 - HKLM\..\Run: [Admilli Service] C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE

O4 - HKLM\..\Run: [salm] c:\temp\salm.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

Reboot into safe mode, Find and delete

C:\PROGRAM FILES\ADMILLI SERVICE\<---- folder

c:\temp\salm.exe

C:\Program Files\BullsEye Network\<------folder

Check properties etc of

O4 - HKLM\..\Run: [oxobsd] C:\WINDOWS\oxobsd.exe

if it doesn't relate to any thing you're sure of fix it

Loadqm.exe is a legit windows file

C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EX appears to be legit too,

were there 2 IE windows open at time of hjt scan ?

Also see click here regarding Bargain Buddy/Bullseye to check you've eliminated the rest of it's dross

Scan once more with hijackthis and post back with a fresh log for hopefully just a checkup, (or Nellie will have my guts for garters) :-)

  mark2 18:30 02 Jan 05

The 016 files you can generally fix safely as the program that needs them will download them from the relevant site when next required

  Diemmess 18:42 02 Jan 05

Thank you Mark2

Will go tomorrow and FIX with confidence.

I had noticed too late for the posting that I had highlighted O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
for FIXING, but failed to put a star there.

You've made my day, I feel lucky!

  mark2 19:14 02 Jan 05

you'd done a good job identifying the nasties yourself. (google helps enormously with the whole HJT line)

Don't forget to Check the hijackthis log after fixing :-)

  Diemmess 16:36 03 Jan 05

'Twas not so easy, because I made the mistake of retaining MessengerPlus before fixing and deleting - Result a couple of lines with "Winstart" in them remained.

Another day spent, but I have had it up to here with sorting this computer, so have made a ghost image of it as it stands, and if there is a next -time...... restoration of the image will be the only help that is forthcoming, unless there is an needed change of attitude from "How long are you going to be?"..... to "Thank you Grandad." C'est la vie!

Thank you Mark2 for giving me the lead and the courage.

Logfile of HijackThis v1.98.2
Scan saved at 3:32:26 PM, on 1/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

D:\HIJACK TOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

D:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O14 - IERESET.INF: START_PAGE_URL=click here

  mark2 22:43 03 Jan 05

That's better, :-)

However your version of Hijackthis is old, now on 1.99 (in case of future need I keep an up to date version on my webspace click here )

  Spark6 23:34 03 Jan 05

Hi Diemmess

Being an anxious grandfather to a number of young grandchildren I' m rather interested to know why you are having these problems.

Is the computer inadequately protected, or is the protection being overridden?

What sites are being visited?

Children can be a trial, but grandchildren!!!

Anyway, Happy New Year, let's hope for less problems ;-)

  Forum Editor 23:52 03 Jan 05

will obviously be better than the cure Diemmess, but I'm sure you don't need me to remind you of that.

This thread is now locked and can not be replied to.

Amazon Fire HD 8 review: A brilliant combination of function and value – with one massive caveat

1995-2015: How technology has changed the world in 20 years

How to create an introvert-friendly workplace

iPhone 7 review: Enhanced cameras, a refreshed design and water resistance make the iPhone 7 an…