Neurotik's got a virus/worm/trojan/hijacker

[Neurotik]

…and I can’t figure out where the hell it is. Any help possible? Here’s my HijackThis logfile.

Logfile of HijackThis v1.96.1
Scan saved at 10:08:34 PM, on 10/7/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPRMMON.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MCAFEE\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARUPLD32.EXE
C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARMON32A.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\M2AUDMON.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\BBIPRA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\VOYETRA\AS2\VTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\VERIZONONLINEDSL\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\MONEY\SYSTEM\REMINDER.EXE
C:\GREETING\GWREMIND.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.EXE
C:\PROGRAM FILES\THE HELPSPOT!\RTFIXM32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\BIN\MPBTN.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O4 - HKLM…\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM…\Run: [TaskMonitor] c:\windows askmon.exe
O4 - HKLM…\Run: [SystemTray] SysTray.Exe
O4 - HKLM…\Run: [EnsoniqMixer] starter.exe
O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\Run: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM…\Run: [VoyetraTray] C:\VOYETRA\AS2\VTRAY.EXE /s
O4 - HKLM…\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM…\Run: [After Dark QuickAccess] “c:\After Dark\After Dark.exe” /taskbar
O4 - HKLM…\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM…\Run: [WinampAgent] “C:\PROGRAM FILES\WINAMP\WINAMPa.exe”
O4 - HKLM…\Run: [WinPoET] C:\Program Files\VerizonOnlineDSL\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM…\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM…\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM…\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM…\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
O4 - HKLM…\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM…\RunServices: [Vshwin32EXE] C:\McAfee\VirusScan\VSHWIN32.EXE
O4 - HKLM…\RunServices: [AccessRampLAN 01] “C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARUpld32.exe” -l
O4 - HKLM…\RunServices: [AccessRampMonitor 01] “C:\PROGRAM FILES\VERIZONONLINEDSL\VISUAL IP INSIGHT\ARMon32a.exe”
O4 - HKLM…\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU…\Run: [Reminder] C:\Money\System\reminder.exe
O4 - HKCU…\Run: [Extreme Messenger for AIM] C:\PROGRAM FILES\AIM95\EXTREME MESSENGER\EXTREMEMESSENGER.exe nosplash
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Greeting\GWREMIND.EXE
O4 - Startup: iiuktg.exe
O4 - Startup: Windows Guardian.lnk = C:\Program Files he HelpSpot!\Fawgrd32.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: Verizon Online DSL Account Setup.lnk = C:\Program Files\VerizonOnlineDSL\AccountSetup\DSLAccSetup.exe
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Control Pad (HKLM)
O9 - Extra ‘Tools’ menuitem: Control Pad (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O16 - DPF: {FAACFEF1-F155-11D0-A11E-0000C09E21C1} (AOLMailUI Class) - http://www.aol.com/netmail/aolnetmail.cab
O16 - DPF: {2B369E51-97F0-11D1-9170-0000C0D23BD8} (AOLAPIObj Class) - http://www.aol.com/netmail/aolapi-n.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.microsoft.com/controls/mcsi/mcsimenu.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38148.7394675926

Whatever this thing is, it’s also chewing up my system resources like mad.

Any help possible?

[RealityChuck]

Note: I make no guarantees. Use at your own risk.

The odd thing is that you have wintools, but not all of it. Usually there are other entries. My guess is that it may have been removed, but some registry entries remain. In any case, I’ll proceed as though it’s there.

First, though, go to http://www.cexx.org/lspfix.htm and download LSPfix. Launch the application, and click the “I know what I’m doing” checkbox.
Click on all instances of “lspak.dll” (and nothing else) and click on the double arrow to move them to the “Remove” pane. Then click Finish. Close LSPfix.

Next, click on “Start,” then “Run.” Type in “msconfig” and click “OK.” When msconfig runs, click on “Startup.” Scroll down and look for any version of “Wtools” and uncheck the box beside it. Close msconfig; you will be prompted to restart the computer. Do so.

Start your computer in Safe Mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight “Safe Mode” and press Enter. If it asks to use System Restore, say no.

Close Internet Explorer, run Hijackthis again, and scan the computer. Put a check mark by the following items:

O4 - HKLM…\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM…\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - Startup: iiuktg.exe

Click on “Fixed Checked” and delete the items.

Search for the following and, if they exist, delete:

The entire “c:\program files oolbar” folder
The entire “c:\program files\common files\wintools” folder
iiuktg.exe

Restart normally and see if things have improved.

[Neurotik]

Nope, no good. Same problem. But thanks for the help, anyway.

When I just ran AdAware, it said it couldn’t delete two files:

c:\windows\system\fz20.dll
c:\windows\system\vzrun.dll

The problem is that I can’t find either anywhere. And after I ran it again after rebooting, those two were still there, even after I told AdAware to remove them at reboot.

I suspect these are the cause of my problems, but I can’t figure out where they are located or how to get rid of them.

[Mr.Blue_Sky]

Have you tried starting in the safe mode and running Adaware?

[Neurotik]

Mr. Blue Sky:

Have you tried starting in the safe mode and running Adaware?

Didn’t even think of that. Since those files won’t be running, AdAware might be able to get rid of them, is that the idea?

[Neurotik]

Tried running AdAware in Safe Mode, same problem. Couldn’t get rid of two files.

Spybot also can’t find anything.

Any other suggestions?