IE keeps shutting down and other things

[michael sche]

My older son has been using more work win2000 machine. Lately IE keeps shutting down and there seems to be alot of freeware, spyware, malware, etc, that I cannot seem to remove via cwshredder, adaware, and spybot. I have attached a copy of the latest hijackthis log. I appreciate your help!!!!!!!!

Logfile of HijackThis v1.97.7
Scan saved at 9:40:12 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\bcmwltry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\documents and settings\mschey\local settings\temp\7og.exe
C:\documents and settings\mschey\local settings\temp\TYMyMFps.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\Djtn.exe
C:\WINNT\system32\BdqGNk.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\pauntvol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\mschey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\mschey\Local Settings\Temp\b.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\System32\keyword.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\system32\mscmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [7og.exe] C:\documents and settings\mschey\local settings\temp\7og.exe
O4 - HKLM\..\Run: [TYMyMFps.exe] C:\documents and settings\mschey\local settings\temp\TYMyMFps.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [54C7EPY5HC7HQH] C:\WINNT\system32\Yoxfye5.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Z0v7RWZnW] pauntvol.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.7331712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

 

[LDTate]

Hello michael sche.

You need to update your version of HijackThis. Open HJT> Config> Misc Tools> Check for update online.

Post a new HijackThis log.

 

[michael sche]

Thanks. I just tried it and received a message that 'The website is unavailable. Either it is down, or I moved or deleted it by accident. Try again in a few days, or email me at [email protected]

 

[michael sche]

Ok.....I was able to download the latest version.....found a majorgeeks link that worked. Here is the new log:

Logfile of HijackThis v1.98.2
Scan saved at 10:28:00 PM, on 9/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\bcmwltry.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\documents and settings\mschey\local settings\temp\7og.exe
C:\documents and settings\mschey\local settings\temp\TYMyMFps.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINNT\system32\pauntvol.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\system32\QmtPCB55.exe
C:\WINNT\system32\LtvfJ7du.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\mschey\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\mschey\Local Settings\Temp\b.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\System32\keyword.exe
O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\system32\mscmgr.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [7og.exe] C:\documents and settings\mschey\local settings\temp\7og.exe
O4 - HKLM\..\Run: [TYMyMFps.exe] C:\documents and settings\mschey\local settings\temp\TYMyMFps.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [54C7EPY5HC7HQH] C:\WINNT\system32\IpuFmd.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Z0v7RWZnW] pauntvol.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll

 

[michael sche]

 

[FinestRanger]

Run the peper removal tool from the link below.

http://downloads.subratam.org/PeperFix.exe

Restart your computer.




Uninstall WinTools,TVMedia and WebOffer.



Restart your computer.

Open HiJackThis. Click "Scan". Put a checkmark next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\mschey\Local Settings\Temp\b.dll

Did you install a keylogger? Do you know what the line below is?

O4 - HKLM\..\Run: [WinEssential] C:\WINNT\System32\keyword.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [7og.exe] C:\documents and settings\mschey\local settings\temp\7og.exe

O4 - HKLM\..\Run: [TYMyMFps.exe] C:\documents and settings\mschey\local settings\temp\TYMyMFps.exe

O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common

O4 - HKLM\..\Run: [54C7EPY5HC7HQH] C:\WINNT\system32\IpuFmd.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exeFiles\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [Z0v7RWZnW] pauntvol.exe

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O15 - Trusted Zone: *.greg-search.com

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll

Close ALL browser windows and click "Fix checked".

Restart your computer into safe mode.

How to start your computer in Safe Mode

Find and delete:

TV Media folder

WinTools folder

TV Media folder

pauntvol.exe

Web Offer folder

mssaru.dll

Also, in safe mode, empty the contents of your TEMP folder.



Download and save these freeware/donationware programs to a permanent folder. Remember to check for updates and run them weekly.

***NOTE***A new version of SpyBot's been released (v1.3...it's no longer in beta). If you have been using 1.2 you can install right over it. If you downloaded and used 1.3 beta it is suggested you remove it and reboot prior to installing.


Ad-aware SE download

Configure Ad-aware:

First in the main window look in the bottom right corner and click on "Check for updates now." then click Connect and download the latest reference files.

From the main window, click Start then under "Select a scan Mode select "Perform full system scan.

Next deselect "Search for negligible risk entries.

Click the "Next" button.

When the scan is finished mark everything for removal and get delete the selections. (Right-click within the window and choose "Select All" from the drop down menu and click Next)

Restart your computer.


SpyBot Search and Destroy download

I also highly recommend you install and update SpywareBlaster


Tutorials:

Ad-aware tutorial link

SpyBot 1.3 tutorial link

SpywareBlaster tutorial linkhttp://www.bleepingcomputer.com/forums/index.php?showtutorial=49


Run Ad-aware and Spybot in Safe Mode.

How to start your computer in Safe Mode


Re-start your computer and post another HJT log in this thread.

 

[michael sche]

Thanks for the info. I'm at work right now but will run the above tonight. I had a feeling it was Peper. I had updated my adaware and it was able to delete some more malware and IE was running a bit better but I noticed a Maxspeed option on the Tools pull down. A did some research and found it was deposted by Peper and followed some instructions that I thought would remove it but it was still there. I'll try what you said tonight. Thanks