1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware Has Messed Compaq

Discussion in 'All Other Software' started by skigeezer, Jan 26, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. skigeezer

    skigeezer Thread Starter

    Joined:
    Jan 26, 2005
    Messages:
    34
    I need a HijackThis expert to help me with my kids compaq presario 1200, running windows 98se. It picked up some kind of spyware and I subsequently had my kid run Spybot S&D, Ad Aware se, and CWShredder on it in "safe mode" and had all 3 of them fix the problems they found; and they all found plenty. Unfortunately, after all that, this computer still runs very sluggish in normal mode and there is no mouse icon visible; hence the mouse is unusable. The mouse icon does show in "safe mode". Here is the latest HJT log, help.
    Logfile of HijackThis v1.99.0
    Scan saved at 10:26:37 PM, on 1/25/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\MY DOCUMENTS\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
    res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Juno Online Services, Inc.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
    =
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {A719CA7C-2261-8E5B-7EDC-9A224A66E749} -
    C:\windows\system\opgqcxhs.dll
    O2 - BHO: (no name) - {2FDA8F4B-4FFA-81D1-AFC9-2E6BBF7E0D49} -
    C:\windows\system\mxplewjd.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio -
    {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no
    file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect]
    C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON
    SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [EM_EXEC]
    C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton
    SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program
    Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [] c:\WINDOWS\System\
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton
    SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Startup: SpySubtract.lnk = C:\Program
    Files\interMute\SpySubtract\SpySub.exe
    O9 - Extra button: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
    FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
    FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: Juno - {A87797A0-8BCB-11E5-B12A-D37D1D82BB4F} -
    juno.exe (file missing) (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    (MsnMessengerSetupDownloadControl Class) -
    http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
    Object) - http://www.odysseusmarketing.com/actsetup.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = resnet.uwyo.edu
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Make sure that AA SpyBot have current definitions

    Print this – boot to safe mode and fix

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
    about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
    res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
    =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {A719CA7C-2261-8E5B-7EDC-9A224A66E749} -
    C:\windows\system\opgqcxhs.dll

    O2 - BHO: (no name) - {2FDA8F4B-4FFA-81D1-AFC9-2E6BBF7E0D49} -
    C:\windows\system\mxplewjd.dll

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no
    file)

    O4 - HKCU\..\Run: [] c:\WINDOWS\System\

    O9 - Extra button: Juno - {A87797A0-8BCB-11E5-B12A-D37D1D82BB4F} -
    juno.exe (file missing) (HKCU)

    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files
    C:\windows\system\opgqcxhs.dll
    C:\windows\system\mxplewjd.dll


    Delete these folders
    C:\PROGRAM FILES\TOOLBAR

    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  3. skigeezer

    skigeezer Thread Starter

    Joined:
    Jan 26, 2005
    Messages:
    34
    MFDnSC,
    Thanks for your quick answer and instructions. Last night we booted into "safe mode" on the Compaq and ran HijackThis to check and fix all the registry items that you listed in the thread. We, also, tried to delete the two dll files and the "Toolbar" folder that you suggested we delete, however, they didn't exist so we couldn't delete them. We even used the search folders tool to try and find them in the harddrive, to no avail. Finally, we deleted the contents of the "Temp" folder and emptied the recycle bin as you instructed. Unfortunately, the "fixes" didn't fix the computers sluggishness or bring back the mouse icon when in normal mode. Here is the new log file, I hope you have a further suggestion. Thanks, again for your time and help.
    Logfile of HijackThis v1.99.0
    Scan saved at 1:17:20 AM, on 1/27/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\MY DOCUMENTS\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Juno Online Services, Inc.
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio -
    {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no
    file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect]
    C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON
    SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [EM_EXEC]
    C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton
    SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program
    Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton
    SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Startup: SpySubtract.lnk = C:\Program
    Files\interMute\SpySubtract\SpySub.exe
    O9 - Extra button: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
    FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM
    FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    (MsnMessengerSetupDownloadControl Class) -
    http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
    Object) - http://www.odysseusmarketing.com/actsetup.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = resnet.uwyo.edu
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    LOg is clean - have you defragged
     
  5. skigeezer

    skigeezer Thread Starter

    Joined:
    Jan 26, 2005
    Messages:
    34
    MFDnSC, well I defragged a couple days before jumping on this forum; should I do it again? Are the 2 03's and the reference to "odysseusmarketing" in the log list normal? What are they telling the computer to do?
    Thanks, again
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014

    Sorry I missed the 03 you referenced - normally the 16's don't bit, but lets fix these 2

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no
    file)

    O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj
    Object) - http://www.odysseusmarketing.com/actsetup.cab
     
  7. skigeezer

    skigeezer Thread Starter

    Joined:
    Jan 26, 2005
    Messages:
    34
    OK MFDnSC, I'll get rid of those two, but if we are deleting O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (nofile), shouldn't we also delete the one above it O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio -
    {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    Also, you didn't say whether or not I should defrag again.
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    No that one is OK and yes defrag, with your OS it is critical

    Do this before defrag

    EasyCleaner http://personal.inet.fi/business/toniarts/ecleane.htm

    Use the clear files and Unnecessary files buttons - I do not recommend
    using the Duplicates files button as many dupes are there on purpose.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Spyware Messed Compaq
  1. ICouldUseSomeHelp
    Replies:
    2
    Views:
    191
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323759

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice