Thanks. It worked! How to get rid of the rest?

Una_Spencer

HI Thanks to A12 and Bulls_Eye and everyone who answered to my emails.
Got the Spy Sweeper and a new virus Scan from Avast. Ran these, plus AdAware. Resulting HIjack LOg below.

AdAware won't remove all files, especially the ones from Browser, and I think also C:\Restore and Internet Temp files. Internet works now, but popups still galore. Some programs still won't open.


Logfile of HijackThis v1.99.1
Scan saved at 10:25:15 PM, on 4/4/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\MNVNZZ.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\ALL USERS\APPLICATION DATA\MSW\BMAN1.EXE
C:\WINDOWS\SYSTEM\ELITECDE32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\OCJMFHQV.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MCICCONF.EXE
C:\WINDOWS\SYSTEM\MAIPACK.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\ALL USERS\APPLICATION DATA\MSW\BMAN.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETGEAR\MA111 CONFIGURATION UTILITY\WLANCFG4.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {734DE454-4CAF-43A7-BBD3-9555418311F8} - C:\WINDOWS\SYSTEM\SYSTEM.dll (file missing)
O2 - BHO: (no name) - {7E61816B-C353-4819-A034-16F3B076599D} - C:\PROGRAM FILES\PINTORZO\PINTORZO.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\mnvnzz.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BMan] C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITECDE32.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PINTORZO] \Progra~1\PINTORZO\PINTORZO.exe
O4 - HKLM\..\Run: [wksmjtrz] C:\WINDOWS\ocjmfhqv.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [r72S36g] MCICCONF.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [awt2RWMmj] MAIPACK.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: ptnt.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

jared

Ok you still got some stuff in you log that needs removing.

Before we do anything I want you to disable system restore. If you need a guide on how to do this just click the 'How To' link in my sig and you can follow a couple easy steps.

After you disable system restore delete all your temp. internet files. Open up Internet Explorer and go to the Tools menu. Now select 'Internet Options'. Click the 'Delete Files' button (select offline content aswell).

After you have cleared your temp files make sure Ad-Aware is up to date. Check the 'How To' link if you have questions regarding that.

Now go ahead and reboot into safe mode. To do this reboot your computer and as it powers on tap the 'F8' key on the keyboard. If you see the windows loading screen you were not fast enough.

Once you are in safe mode open up your copy of HiJackThis. Now select and remove the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {734DE454-4CAF-43A7-BBD3-9555418311F8} - C:\WINDOWS\SYSTEM\SYSTEM.dll (file missing)
O2 - BHO: (no name) - {7E61816B-C353-4819-A034-16F3B076599D} - C:\PROGRAM FILES\PINTORZO\PINTORZO.dll
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\mnvnzz.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [etbrun] C:\WINDOWS\SYSTEM\ELITECDE32.EXE
O4 - HKLM\..\Run: [PINTORZO] \Progra~1\PINTORZO\PINTORZO.exe
O4 - HKLM\..\Run: [wksmjtrz] C:\WINDOWS\ocjmfhqv.exe
O4 - Startup: ptnt.exe


When you delete the entries you can then close HJT. Open up your copy of Ad-Aware and run a full system scan.

Now that system restore is off and you are in safe mode is should hopefully be able to make a complete pass and remove everything it needs to.

Let me know if you run into any problems.

If you are still getting popups after this just post another log and we will have a looksee.

Good luck