I have tried Spybot, Adaware, Highjack this, AVG, and Avast! to rid myself of a vexing computer problem that continues. My computer has innumerable pseudo-pop-ups. I say pseudo because Zone Alarm shows not incoming information from the net, and they are always the same. After from 10 minutes to about an hour my computer stops function due to low resources and needs to be rebooted. It will also lock up, requiring constant saving when using, say, a word processor. Needless to say, the machine is relatively useless. I can reinstall Win 98SE, but would prefer not to have to go to all that trouble. Anyone know what I can do to rid myself of this egregious situation?
Get rid of file-sharing software, or find “lite” versions of it.
Get rid of other suspicious programs that scanning software wouldn’t necessarily deem offensive, such as: Weatherbug, Bonzi Buddy, Gator, Comet Cursor, etc.
If you see programs that you don’t remember installing, google them. If they come up offensive, remove them.
Download HijackThis, run a scan, and post the results here - it gives a comprehensive snapshot of what’s going on with the system. But don’t do anything else with it unless you really know what you’re doing, because it’s a rather powerful (ie potentially destructive) tool!
Could you post your Hijackthis log?
I will be happy to post my log, but since I am at work, it will have to wait until tonight when I get home. Interestingly, I know that things like comet cursor, gator, and bonzai buddy are present, as I can see them scanned by adaware and spybot, but I can’t find them on the disc. It’s not under programs. Where should I be looking. Also, this computer doesn’t have any P2P programs on it.
Some of those things will be loaded from .dll files, by your system registry. If Hijackthis finds them, the easiest way to be rid of them is to use Hijackthis to remove them.
I almost forgot, according to the computer, the reason it craps out is that resources have become critically low. What resources is it talking about? How can I look at running processes (windows 98SE).
You can download and install a utility called Process Explorer from here - it provides detailed view and control of what your system is doing - much more so than the Win98 Task manager.
Memory.
As your malware chews up more and more memory, the computer has to swap more and more things to the swap file to make room, and gets slower and slower as a result.
Here is the Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 8:41:49 PM, on 11/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM…\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM…\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKCU…\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O4 - HKCU…\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS
ppdf32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS
pqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS
pqtplugin3.dll
“Resources” is a general term meaning things your computer needs that it can run out of - RAM, CPU, disk space. Almost always it is used synonymously with RAM.
From a quick look, I’d say you have a Heisenberg bug. You had a problem and you threw so much diagnostic software at it that now the diagnostic software itself is the problem. Counter-malware programs are not trivial in terms of resources… they are resource hogs and you should run only one scan at a time.
Maybe you’ve set these programs to do a full system scan when your computer starts, or set on a frequent scanning interval. If you have several counter-malware programs kicking off as soon as the computer boots, that would be a big problem causing the symptoms you have described.
I would suggest first shutting off all your spyware detecting stuff and seeing if that helps overall system stability. Then look into the software and see if you can gain control over when it runs… you don’t need to run it often, only once a week or so.
Actually, I don’t have anything run at startup except zone alarm. All the anti-spyware is when I choose, which, with the computer so screwed up, is pretty often. It’s always finding a ton of stuff unless I run the same program twice consecutively, in which case, it seems to have done its job, but on reboot everything just comes back.
It looks like you do have something running at startup:
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
Other than that, you’ve got a pretty clean log. I would say start deactivating non-essential programs just to eliminate any interference… you’ve got AIM, MSN messenger, and google toolbar.
Next thing I’d do would be to run an actual anti-virus utility as opposed to just a spyware scanner.
Also I might increase the size of the virtual memory (the pagefile). It’s not a solution for not having enough RAM, but it can be a band-aid to help you survive until you can figure out what is going on.
Last resort - go buy a newer OS (such as Windows XP), back up your files, and do a reformat/reinstall of windows.
OK, nothing’s working so far…
Assuming every definition file etc for the AV/shitware scanners are all up to date, boot into safe mode, and run a full scan of everything there. To get into safe mode with 98, you hold the left shift key during the boot sequence - although it’s easier to tap the key repeatedly to make sure to press it at the ‘correct’ time. Anyway, you boot into a minimal Windows setup, with a 16-colour screen etc. The advantage is that it doesn’t load any non-essential programs, which should mean it doesn’t load any malware. Try that, and report back 
And it might be useful to note that many home computers are RAM deficient to start with. If you only have 128MB of RAM, it is very easy for legitimate applications to eat up all available resources. Word is a system hog and so is Internet Explorer. Get Word going and then open three or four browser windows and you don’t necessarily need malware to do you in.
What is “c:\windows\system\exp.exe” ?
Actually, astro might have a point - I hadn’t noticed that the ‘exp.exe’ file was in a primary folder, and not a program-specific one (annoyingly it’s a name which is used in legitimate circumstances). Try Start - Run - ‘msconfig’ - and see if you can find an option for this ‘exp’ file. If you can, deselect it, and restart the computer, and see how things work.
I am running 384 MB ram. I did indeed find exp.exe using msconfig, deselected it, restarted, it is no longer loaded, but the pseudo popups continue.
and my latest hijack this log is:
Logfile of HijackThis v1.97.7
Scan saved at 11:11:58 PM, on 11/8/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM…\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM…\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM…\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU…\Run: [msnmsgr] “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background
O4 - HKCU…\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS
ppdf32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS
pqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS
pqtplugin3.dll
****out of curiosity, what is O1 - Hosts: 69.20.16.183 ieautosearch
For one thing, you are using an outdated version of HijackThis. Please download the newest version, 1.98.2 here, scan again, and post the log here.