Please help with Downloader.Small.15.BS (HijackThis log included)

Unknown

This computer is currently suffering from an infection of Downloader.Small.15.BS and Downloader.Generic.RR. This computer has fully updated Ad-Aware, fully updated SpywareBlaster, fully updated SpyBot S&D, AVG Free Edition with the latest definitions and Norton Antivirus with the latest definitions. Only AVG can find any sign of these Trojan horses. Spybot and Ad-Aware have found spyware but they have yet to stop the problem. This computer is connected to high speed internet through a modem equipped with a powerful firewall currently set at Medium. These viruses appear to have come with Elitebar, which I seem to have removed. These Trojan horses cause the computer to run very slowly (Ad-Aware took 30 minutes to do a smart scan) and cannot boot unless you kill the processes Runonce and Mmtask. It is still prone to crashes and in a normal boot, it runs out of RAM very quickly. This computer uses Windows 98 First Edition.

Logfile of HijackThis v1.99.1
Scan saved at 1:59:21 PM, on 6/26/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BITWARE\CBWHOST.EXE
C:\PROGRAM FILES\BITWARE\CBWATTN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SXGDSENU.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\SYSTEM\CPQPSCP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\CDA\GAMEDRVR.EXE
C:\WINDOWS\LRHMUN.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=1c99&s=consumer&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\Run: [q55V3qe] IMPDLG32.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\lrhmun.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [CBWHost] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE
O4 - HKLM\..\RunServices: [CBWAttn] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [b2u9RkKpP] JGDUPG.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: unrt.exe
O4 - Startup: Spyware Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL

Help woud be appreciated!

Buckeye_Sam

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Wild Tangent
Viewpoint Manager
Viewpoint Media Player
Weird on the Web
Virtual Bouncer


================


Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe


Please download and install Cleanup 4.0, but don't run it yet.
http://cleanup.stevengould.org/


================


Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE"
O4 - HKLM\..\Run: [q55V3qe] IMPDLG32.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\lrhmun.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKCU\..\Run: [b2u9RkKpP] JGDUPG.EXE
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: unrt.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL



Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\SYSTEM\wintask.exe
C:\WINDOWS\SYSTEM\PSof1.exe
C:\WINDOWS\lrhmun.exe reg_run
C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\Program Files\Cas\Client
C:\PROGRAM FILES\VBOUNCER
C:\PROGRAM FILES\WEIRDONTHEWEB
unrt.exe
IMPDLG32.EXE
JGDUPG.EXE



Run CWShredder, making sure to click "Fix".


Run CleanUp 4.0 to remove temp files.



Reboot your computer to go back to normal mode and post a new log.

Darth Plagueis

Alright. I did everything you asked me to do and got some interesting results. I was unable to find the following programs in Add/Remove Programs:

Wild Tangent
Weird on the Web
Virtual Bouncer

I was also unable to find the following files/folders:

C:\Windows\System\cfgmgr52.dll
C:\Windows\System\wintask.exe
C:\Program Files\Vbouncer
C:\Program Files\Weirdontheweb
impdlg32.exe
jgdupg.exe

However, a search for wildtangent revealed the file wildtangent.jar in the folder C:\Program Files\Javasoft\JRE\1.2\lib\ext

A search for weirdontheweb found the application weirdontheweb_ventura.exe in the folder C:\Windows\System

A search for vbouncer found the folder C:\Windows\All Users\Application Data\VBouncer

A search for cfgmgr52 found the folder C:\Windows\cfgmgr52 and the file cfgmgr52.ini in the C:\Windows folder.

A search for impdlg32 found the file impdlg32.lgc in the folder C:\Windows\Applog

A search for jgdupg found the file jgdupg.~~c in the folder C:\Windows\Applog

A search for viewpoint found the folder C:\WINDOWS\All Users\Application Data\Viewpoint and the application viewpoint.exe in the folder C:\Program Files\AIM\Sysfiles even though I deleted that application in Add/Remove Programs

Which, if any of these files/folders, should I delete?

I hope these aren't redundant from HijackThis, but I found some "suspicious" registry keys too:

HKEY_CLASSES_ROOT\Typelib\{0DC5CD7C-F653-4417-AA43-D457B33A9622}\1.0\0\win32 with the value C:\Windows\cfgmgr52.dll, a file I could not find

HKEY_CURRENT_USER\Software\PSof1

HKEY_USERS\.DEFAULT\Software\PSof1

HKEY_CURRENT_USER\Software\Viewpoint

HKEY_LOCAL_MACHINE\Software\Viewpoint

HKEY_USERS\.DEFAULT\Software\Viewpoint

HKEY_CLASSES_ROOT\CLSID\{8293D547-38DD-4325-B35A-F1817EDFA5FC}\InprocServer32 with value C:\Program Files\Cas\Client\Casmf.dll

HKEY_CLASSES_ROOT\TypeLib\{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9}\1.0\0\win32 with value C:\Program Files\Cas\Client\Casmf.dll

HKEY_CLASSES_ROOT\TypeLib\{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9}\1.0\HELPDIR with value C:\Program Files\Cas\Client

HKEY_CURRENT_USER\Software\CAS

HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{8293D547-38DD-4325-B35A-F1817EDFA5FC}\InprocServer32
with value C:\Program Files\Cas\Client\Casmf.dll

HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9}\1.0\0\win32
with value C:\Program Files\Cas\Client\Casmf.dll

HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{D4C89C18-B4F3-46A9-8800-E9E7A55AFBD9}\1.0\HELPDIR
with C:\Program Files\Cas\Client

HKEY_USERS\.DEFAULT\Software\CAS

HKEY_LOCAL_MACHINE\Software\Wise Solutions\Wise Installation System\Repair\C:/Program Files/VBouncer/INSTALL.LOG

HKEY_LOCAL_MACHINE\Software\WeirdOnTheWeb

I also successfully removed all of the items you told me to get rid of in HijackThis. The entries for Vbouncer and Weirdontheweb attempted to block me from the deleting them by adding themselves to Spybot's Blocked Registry Changes list. I removed them and successfully deleted them.

As of now, if I boot the computer in normal mode, it basically hangs at a DOS screen which only says

File not found
File not found

If I boot the computer in step-by-step configuration and I skip config.sys and autoexec.bat, the computer boots fine and is quite stable. It also works in safe mode.

When I ran CWShredder, it found nothing and when I ran Cleanup 4.0, it deleted 39 mb of temp files.



New HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:26:10 PM, on 6/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BITWARE\CBWATTN.EXE
C:\PROGRAM FILES\BITWARE\CBWHOST.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\SXGDSENU.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\SYSTEM\CPQPSCP.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=1c99&s=consumer&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Essdc] essdc.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [CBWHost] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE
O4 - HKLM\..\RunServices: [CBWAttn] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Spyware Blaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab

Buckeye_Sam

A search for weirdontheweb found the application weirdontheweb_ventura.exe in the folder C:\Windows\System

A search for vbouncer found the folder C:\Windows\All Users\Application Data\VBouncer

A search for cfgmgr52 found the folder C:\Windows\cfgmgr52 and the file cfgmgr52.ini in the C:\Windows folder.

A search for impdlg32 found the file impdlg32.lgc in the folder C:\Windows\Applog

A search for jgdupg found the file jgdupg.~~c in the folder C:\Windows\Applog

A search for viewpoint found the folder C:\WINDOWS\All Users\Application Data\Viewpoint and the application viewpoint.exe in the folder C:\Program Files\AIM\Sysfiles even though I deleted that application in Add/Remove Programs

Which, if any of these files/folders, should I delete?

You can manually delete all of these.

I would not, however, manually remove anything from the registry. Download and run a good registry cleaner. One that makes backups that you can restore. If you don't have one I recommend Ace Utilities.

http://www.acelogix.com/regtune.html


Your log looks clean. Let me know if after running the registry cleaner if you still can't boot up normally.

Darth Plagueis

Well, I can tell this computer is doing much better. I can boot normally but I am still seeing the message "File not Found" about 5 or 6 times right before it boots but this appears to have started after my dad uninstalled BackWeb. Is this because something is trying to install itself but it can't find the files?

Also, AVG has been unable to remove the file uci.exe even though it can detect it. Is that a bad file? There also appears to issues with the file iM49.exe and possibly TP7543.exe. I don't know if those two are still around but I'll have to check

The registry cleaner did a great job as well. I need to examine the computer a little better, but it is running much faster. Ad-Aware has found nothing but Spybot has been finding BookedSpace and Pacimedia (Pacimidia?).

THANK YOU VERY MUCH for what you have already done. If it wasn't for you and Short-Media team, my dad and I would have been forced to reformat the hard drive and reinstall everything from scratch. I also wanted to tell you that information from your site helped me and my dad defeat an infection on a different computer. I know that you guys are the people to ask when someone is in need of assisstance in their battle against spyware and viruses.

I am probably going to post more info tomorrow.

Buckeye_Sam

Show me a new hijackthis log and we'll see if we can figure out the file not found errors.