My computer has an unwanted guest - help me kill it dead.

[Neurotik]

Apparently, I have had some adware attach itself to my hard drive. Ad-Aware does nothing, even with the latest updates. I thought I killed most of it with HijackThis! But apparently not.

Here is the log file:

Logfile of HijackThis v1.96.1
Scan saved at 7:06:35 PM, on 4/23/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
O4 - HKLM…\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM…\Run: [TaskMonitor] c:\windows askmon.exe
O4 - HKLM…\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
O4 - HKLM…\Run: [SystemTray] SysTray.Exe
O4 - HKLM…\Run: [EnsoniqMixer] starter.exe
O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\Run: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM…\Run: [VoyetraTray] C:\VOYETRA\AS2\VTRAY.EXE /s
O4 - HKLM…\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM…\Run: [After Dark QuickAccess] “c:\After Dark\After Dark.exe” /taskbar
O4 - HKLM…\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM…\Run: [WinampAgent] “C:\PROGRAM FILES\WINAMP\WINAMPa.exe”
O4 - HKLM…\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM…\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM…\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM…\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM…\Run: [2RDRGFM4R325YA] C:\WINDOWS\SYSTEM\Mdm7N.exe
O4 - HKLM…\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
O4 - HKLM…\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM…\RunServices: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM…\RunServices: [AccessRampLAN 01] “C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARUpld32.exe” -l
O4 - HKLM…\RunServices: [AccessRampMonitor 01] “C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARMon32a.exe”
O4 - HKCU…\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU…\Run: [Reminder] C:\Money\System\reminder.exe
O4 - HKCU…\Run: [Extreme Messenger for AIM] C:\PROGRAM FILES\AIM95\EXTREME MESSENGER\EXTREMEMESSENGER.exe nosplash
O4 - HKCU…\Run: [5-2-46-59[1]] c:\windows\5-2-46-59[1].exe -m
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O4 - Startup: Windows Guardian.lnk = C:\Program Files he HelpSpot!\Fawgrd32.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Verizon Online DSL Account Setup.lnk = C:\Program Files\VerizonOnlineDSL\AccountSetup\DSLAccSetup.exe
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {8C731E3D-10F1-11D2-ACF9-0000C0D6E3D6} (MyControl.AppLauncher) - file://c:\windows\Web\Wallpaper\Project1.CAB
O16 - DPF: {FAACFEF1-F155-11D0-A11E-0000C09E21C1} (AOLMailUI Class) - http://www.aol.com/netmail/aolnetmail.cab
O16 - DPF: {2B369E51-97F0-11D1-9170-0000C0D23BD8} (AOLAPIObj Class) - http://www.aol.com/netmail/aolapi-n.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.microsoft.com/controls/mcsi/mcsimenu.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

Any ideas on what I should fix? Actually, I know one file in particular should be gone but I can’t keep it dead:

O4 - HKCU…\Run: [5-2-46-59[1]] c:\windows\5-2-46-59[1].exe -m

Everytime I remove this, it just pops right back in to my next scan. Not sure what to do.

[JamesCarroll]

I can’t say if its a virus, but get yourself to www.grisoft.com, get AVG, and run it.

Its free and its cleared up numerous problems for myself and every person that I’ve refererred to them.

Hey, couldn’t hurt…

[Toddly]

Neurotik:

Apparently, I have had some adware attach itself to my hard drive. Ad-Aware does nothing, even with the latest updates. I thought I killed most of it with HijackThis! But apparently not.

Any ideas on what I should fix? Actually, I know one file in particular should be gone but I can’t keep it dead:

O4 - HKCU…\Run: [5-2-46-59[1]] c:\windows\5-2-46-59[1].exe -m
Everytime I remove this, it just pops right back in to my next scan. Not sure what to do.

Yes that one does look suspcious. Have you tried MSCONFIG? If not GoTo Run>type “msconfig” (no quotes) and select the Startup Tab. Scan through the menu and see if it is there and if so uncheck it. You may be able to remove it if it does not load so after restart delete the rascal if possible. You might also post your HiJack file in the Spyware Forums these folks are experienced and surely could help.

[RealityChuck]

There are several problems. The first one you have to deal with is the peper trojan:

O4 - HKLM…\Run: [2RDRGFM4R325YA] C:\WINDOWS\SYSTEM\Mdm7N.exe

Cleaning via hijackthis doesn’t help. You need to download the cleaner from here. (scroll down to the very bottom of the page for the link). You will need to be connected to the Internet while cleaning.
After that’s done, restart your computer.

This is a partial log, so I can’t analyze all the problems (notibly, any browser hijackers). However, some things need immediate attention, so
run hijackthis again. Put a check mark by the following items:
O4 - HKLM…\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM…\Run: [2RDRGFM4R325YA] C:\WINDOWS\SYSTEM\Mdm7N.exe (If it shows up again)
O4 - HKLM…\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU…\Run: [5-2-46-59[1]] c:\windows\5-2-46-59[1].exe -m

Click on Fix checked and delete the items.

Restart the computer and delete these files, if present:

wupdater.exe
5-2-46-59[1].exe

The “svchost” should also be deleted, but there are legitimate programs with that name, so it’s best to go to http://housecall.trendmicro.com/housecall and let their online virus scanner clean it up.

When you’re done, post you entire log here so it can be checked.

[Neurotik]

Thank you, thank you, thank you all.

James, that’s a great program!

Toddly, good suggestion. I unchecked a few things and that helped.

RealityChuck! Fantastic. Thanks for looking at the stuff. I tried to run the first program - the trojan remover, but it just had a little box popup saying it won’t run in DOS mode. I’m not sure why, but that’s what happened.

I killed the files you told me to in HijackThis and restarted the computer and don’t see any sing of them when I ran it again. Here is the entire log file I just ran:

Logfile of HijackThis v1.96.1
Scan saved at 10:43:37 PM, on 4/23/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPRMMON.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARUPLD32.EXE
C:\WINDOWS\SYSTEM\M2AUDMON.EXE
C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARMON32A.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\VOYETRA\AS2\VTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\VERIZONONLINEDSL\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\RunDLL.exe
C:\MONEY\SYSTEM\REMINDER.EXE
C:\GREETING\GWREMIND.EXE
C:\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\THE HELPSPOT!\RTFIXM32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TSC.EXE

O4 - HKLM…\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM…\Run: [TaskMonitor] c:\windows askmon.exe
O4 - HKLM…\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
O4 - HKLM…\Run: [SystemTray] SysTray.Exe
O4 - HKLM…\Run: [EnsoniqMixer] starter.exe
O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\Run: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM…\Run: [VoyetraTray] C:\VOYETRA\AS2\VTRAY.EXE /s
O4 - HKLM…\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM…\Run: [After Dark QuickAccess] “c:\After Dark\After Dark.exe” /taskbar
O4 - HKLM…\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM…\Run: [WinampAgent] “C:\PROGRAM FILES\WINAMP\WINAMPa.exe”
O4 - HKLM…\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM…\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM…\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
O4 - HKLM…\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM…\RunServices: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM…\RunServices: [AccessRampLAN 01] “C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARUpld32.exe” -l
O4 - HKLM…\RunServices: [AccessRampMonitor 01] “C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARMon32a.exe”
O4 - HKCU…\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU…\Run: [Reminder] C:\Money\System\reminder.exe
O4 - HKCU…\Run: [Extreme Messenger for AIM] C:\PROGRAM FILES\AIM95\EXTREME MESSENGER\EXTREMEMESSENGER.exe nosplash
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\MSOffice\Office\OSA.EXE
O4 - Startup: Windows Guardian.lnk = C:\Program Files he HelpSpot!\Fawgrd32.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Verizon Online DSL Account Setup.lnk = C:\Program Files\VerizonOnlineDSL\AccountSetup\DSLAccSetup.exe
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {8C731E3D-10F1-11D2-ACF9-0000C0D6E3D6} (MyControl.AppLauncher) - file://c:\windows\Web\Wallpaper\Project1.CAB
O16 - DPF: {FAACFEF1-F155-11D0-A11E-0000C09E21C1} (AOLMailUI Class) - http://www.aol.com/netmail/aolnetmail.cab
O16 - DPF: {2B369E51-97F0-11D1-9170-0000C0D23BD8} (AOLAPIObj Class) - http://www.aol.com/netmail/aolapi-n.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.microsoft.com/controls/mcsi/mcsimenu.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

Thanks so much, everyone. I don’t know if it’s dead, but it’s certainly been beaten badly.

[Toddly]

I’m glad you have the advantage. I would recommend that you download and install Spyware Blaster. This is a nice little program that prevents spyware from installing. I think it works pretty well. My kids machines are in good shape and I actually attribute some of that to this program. You install it and update it as needed.