my friend's computer is next-to-dead! Please help.

flhrci06

I had to download the CWS, etc to disc, then install the pgms on my friend's computer. She has dial-up which is very slow and it took about 1/2 hour to download the HijackThis pgm, so I gave up on the net on her computer and went that route.

I did the following.
1. I deleted about 10,000 files (not kidding) from her Temp Internet Folder, which took about 3 hours to do. She had 28Mb freespace on her hard drive. Now she has about 500Mb free, I think. Can't remember, but she is no longer getting the drive full error window. She has never emptied it (for about 2 years) because she thought it would empty whenever she turned off her computer.

2. I loaded CWS and ran it. Nothing found

3. I loaded and ran Ad-Aware and it found some files, but not many.

4. I ran Spybot S&D. It found lots of data miners, registry values, etc. I deleted all the data miners and quarantined the rest.

5 I ran HijackThis and saved a log. Unfortunately, she uses Lotus 1-2-3 and I couldn't save the log to my CD, so I eventually just printed it out, brought it home and typed it into my Works pgm.

This is the log.


Logfile of HijackThis v1.99.1
Scan saved at 7:24:51 PM on 02/22/2006
Platform Windows 98 ME (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running Processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.13.0000.1005\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://ca.msn.com/
R0 - HKLM\ Software\Microsoft\Internet Explorer\Search,Search Assistant=
R0 - HKLM\ Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName=
R3 – Default URLSearchHook is missing
O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}-C:\PROGRAM FILES\MSN\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 – BHO: ST-{9394EDE7-C8B5-483E-8773-474BF36AF6E4}-C:\PROGRAM FILES\MSN APPS\ST\01..3.0000.1005\EN-XU\STMAIN.DLL
O2 – BHO: (no name)-{8DA5457F-A8AA-4CCF-A842-70E6FD274094}-C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLST.DLL
O2 – BHO: Starware-{CA356D79-679B-4b4b-8E49-5AF97014F4C1}-C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL
O2 – BHO: (no name)-{87766247-311C-43B4-4899-3D5C94A183}-C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLSB.DLL
O2 – BHO: (no name)-{53707962-6F74-2D53-2644-206D7942484F}-C:\Program Files\Spybot-Search&Destroy\SDHelper.dll
O3 – Toolbar: &Radio-{8E718888-423F-11D2-876E-00A0C9082467}-C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 – Toolbar: MSN-{BDAD1DAD-C496-4A17-ADC1-64B5B4FF55D0}-C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-CA\MSNTB.DLL
O3 – Toolbar: Starware-{D49E9D35-254C-4c6a-9D17-95018D228FF5}-C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL
O4 – HKLM\..\Run:[SystemTray] SysTray.Exe
O4 – HKLM\..\Run:[HPMmKbd] C:\WINDOWS\SYSTEM\keyboard\sbcommkb.exe
O4 – HKLM\..\Run:[ScanRegistry] C:\WINDOWS\scanregw.exe/autorun
O4 – HKLM\..\Run:[TaskMonitor] C:\WINDOWS\TASKMON.EXE
O4 – HKLM\..\Run:[LoaePowerProfile] Rundll32.exe powerprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\Run:[Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE\LOADQUIET
O4 – HKLM\..\Run:[LoadQM] loadqm.exe
O4 – HKLM\..\Run:[Synchronization Manager]mobsync.exe/logon
O4 – HKLM\..\Run:[msnappau]”c:\program files\MSN Apps\Updater\01.03.0000.1005\eng-ca\msnappau.exe O4 – HKLM\..\Run:[StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 – HKLM\..\Run:[NI.UWFX5_0001_N66M1101] “C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\1BZXVJEJ\WINFIXER2005FREEINSTALL[1].EXE”-nag
O4 – HKLM\..\Run:[NIUWFX6_0001_N68M2301] “C:\WINDOWS\DESKTOP\WINFIXER2006FREEINSTALL.EXE”-nag
O4 - HKLM\..\Run:[WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLSA.EXE
O4 – HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe/RUNSERVICES
O4 – HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powerprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 – HKLM\..\RunServices: [ScriptBlocking] “C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe”-reg
O4 – HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLSA.EXE
O4 – HKLM\..\RunServicesOnce:[WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLSA.EXE/boot
O4 – HKCU\..Run: [Taskbar Display Controls]RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 – HKCU\..Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe”/background
O12 – Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 – WWW. Prefix: http://
O16 – DPF: Win32 Classes-file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 – DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class)-http://commerce/pro.ca/kti/mcsi_menu.cab


I hope this is ok for you to do anything with.

Trogan

Lets see what we can do

Remove the following from Add/Remove programs, if found:

WINFIXER2005
WINFIXER2006
WINTOOLS
=====

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
=====

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 – HKLM\..\Run:[LoaePowerProfile] Rundll32.exe powerprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\Run:[NI.UWFX5_0001_N66M1101] “C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\1BZXVJEJ\WINFIXER2005FREEINSTALL [1].EXE”-nag
O4 – HKLM\..\Run:[NIUWFX6_0001_N68M2301] “C:\WINDOWS\DESKTOP\WINFIXER2006FREEINSTALL.EXE”-nag
O4 - HKLM\..\Run:[WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLSA.EXE
O4 – HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powerprof.dll,LoadCurrentPwrScheme
O4 – HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WINTOOLSA.EXE

O13 – WWW. Prefix: http://

- Close ALL open windows
Click Fix Checked
=====

View hidden files and folders – explained here

=====


Find and Delete the following, if found:

C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\1BZXVJEJ\WINFIXER2005FREEINSTALL [1].EXE << This file
C:\WINDOWS\DESKTOP\WINFIXER2006FREEINSTALL.EXE << This file
C:\PROGRAM FILES1\COMMON FILES\WINTOOLS << this folder
==

We need to do a search. Click Start > Search > All Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

powerprof.dll

If any of these files are found please delete them.
=====


Download ATF (Atribune Temp File) Cleaner© by Atribune
http://www.atribune.org/ccount/click.php?id=1
It is a stand-alone program that does not need to be "installed". Save it to a convenient location and make a shortcut on your desktop.

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu
=====

Run Ad-Aware and SpyBot again. Remove everything they find!

=====


If you can, please run this online scan. If it takes too long on Dial-up, then skip it.

http://www.kaspersky.com/virusscanner
- Please run the Free Kaspersky Online Virus Scan

- Click on the Kaspersky Online Scanner button

- On the new window that opens, click the Accept button

- Kaspersky will check if you have the ActiveX installed. If not, you will be prompted to download it. Please do - it is perfectly safe.

- After accepting to install the ActiveX, you will need to click Accept again

- Kaspersky will then install the ActiveX and download the latest Anti-Virus files from their database. Please be patient, it may take several mintues to download the latest files. Click Next when done

- Select My Computer
Please do NOT use the internet while Kaspersky is scanning

- When the scan is complete, click the Save as Text button. Call it Virus Results and save the report to your desktop.

- Open the file and paste the entire contents here
=====


Reboot and post a new HJT log and log from Kaspersky (if possible)

flhrci06

Trogan_1000

Thank you very much. I think this will take me a while. I will print this post off, go to her house, do the required work and see how we are doing. I probably won't get back for a couple of days as I have some business to take care of as well that will keep me away.

Trogan

No problem

flhrci06

Test.

flhrci06

I'm having trouble posting a reply. It keeps saying I'm not logged in, but I seem to show as logged in. Is there a time limit to type a post because I'm typing a long one. I've typed it twice now. Maybe 3 times lucky??? I'll try again.

Maybe I'll type it in Pad and paste it.

flhrci06

Hello Trogan. I guess I couldn't post because I was taking too long to type in the post box and it was kicking me off, so I smartened up and used Word Pad and pasted.
OK Here goes.

I had trouble getting HJT on her hd. I had a zipfile and tried to extract but for some reason I couldn't. All it would do is keep going to the extract window and when I tried to copy it from my CD to the hd it would only make a shortcut, but eventually, and through accident, I managed to get it into C:\HJT << this folder.
When I ran HJT, any logs it saved were in zipfiles. Eventually I got it right.
Also, HJT doesn't show the header or Running Processes. It starts at the firs RO - line. Why won't it show?

In Add\Remove pgms I found only WINTOOLS and removed it. Couldn't find WINFIXER2005 or 2006.

Opened HJT\Misc.Tools\Process mgr. but never found C:\PGM FILES\COMMON FILES\WTOOLSA.EXE or wsup.exe
Closed and reopened HJT\Scan only. Checked (your lines) 1,2,3,5,& 7. Never found 4 & 6. Fixed but when I ran scan only again, line 2 (WINFIXER2005FREEINSTALL.EXE) was still there.
Viewed hidden files & folders.
C:\WINDOWS\TEMP INTERNET FILES\CONTENT.IE5 <<this folder not there.
C:\WINDOWS\DESKTOP\WINFIXER2006FREEINSTALL.EXE<<this file not there.
C:\PGM FILES1\COMMON FILES\WINTOOLS<<this folder not there.
Searched for powerprof.dll. Not found.

Logged onto net, logged into this forum. Then some jerk ran his vehicle into the communications tower, severed several optic cables and we were denied any access from the Yukon through our ISP.
I gave up at that point and defragged for 2 hours before it finished.

I will try to dl ATF Cleaner when I next go over.

Now, next in your list, do you want me to dl Firefox and Opera? or were thos instructions only if she's using either? She uses IExplorer.

I will run Ad-Aware & SpyBot.
I will try Kaspersky, save & paste report here, reboot and post new HJT log.

It may take me a while, but I think I should wait before I do anything until I hear from you why I get no header or Running Processes in the HJT log.

I will be out of town tomorrow and the next day. The we are leaving for Calgary on Saturday (driving 2 days) staying a week or so, then return about the middle of the month.

So if you don't get a post Thurs of Fri, don't worry. It can wait.

Thanks for your patience and assistance. You people do a great job and you don't know how much we appreciate your work.
Thank you again

Trogan

Sorry about your posting troubles. Not sure what was happening.

Hopefully, Il answer all of your questions and not mess any

Also, HJT doesn't show the header or Running Processes. It starts at the firs RO - line. Why won't it show?

Thats right. HJT only shows the running processes in the log file it creates and not in the program. It start off from the R0 entry like you saw

Opened HJT\Misc.Tools\Process mgr. but never found C:\PGM FILES\COMMON FILES\WTOOLSA.EXE or wsup.exe
Closed and reopened HJT\Scan only. Checked (your lines) 1,2,3,5,& 7. Never found 4 & 6. Fixed but when I ran scan only again, line 2 (WINFIXER2005FREEINSTALL.EXE) was still there.
Viewed hidden files & folders.
C:\WINDOWS\TEMP INTERNET FILES\CONTENT.IE5 <<this folder not there.
C:\WINDOWS\DESKTOP\WINFIXER2006FREEINSTALL.EXE<<th is file not there.
C:\PGM FILES1\COMMON FILES\WINTOOLS<<this folder not there.
Searched for powerprof.dll. Not found.

No problem

I will try to dl ATF Cleaner when I next go over.

Now, next in your list, do you want me to dl Firefox and Opera? or were thos instructions only if she's using either? She uses IExplorer.

Thats if she's only using them. If you can, get her to try Firefox or Opera. Nothing like safer browsing

I will run Ad-Aware & SpyBot.
I will try Kaspersky, save & paste report here, reboot and post new HJT log.

OK


I'l be here when your ready