Hi everyone
I'm posting because my dad's laptop has essentially filled up with spyware to the extent that he cannot connect to the internet.

Essentially he has a Sony Vaio laptop that had windows 98 SE on and just recently he put xp on also. He never connected it to the internet and didn't have any spyware or virus protection. However just recently my parent's pc went to the big electronics store in the sky so they've linked the laptop to their broadband connection. Without any protection it soon filled with spyware and this weekend I put adaware and spybot on it to try and remove it all (I'm gonna put virus protection on next weekend).
When I started work on it the laptop wouldn't connect to the internet in xp but if loaded in 98 it would have no problems. Now after running adaware and spybot I can get connected to the internet but as soon as I do there is some spyware that hasn't been caught that immediately kicks in and the laptop grinds to a halt. I've got a hjt log that I've posted below and I'd really apreciate it if someone could have a quick scan.

By the way I'd really like to learn to interpret this stuff myself is there anywhere I can learn?

Cheers everyone

Logfile of HijackThis v1.98.2
Scan saved at 11:28:25, on 06/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.iesearch.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [Smart Label OServer] C:\PROGRAM FILES\SONY\SMART
LABEL\SSLOSERV.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey
Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL
Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL
Modem\dslagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - Startup: BatteryScope.lnk = C:\Program
Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program
Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program
Files\SONY\VAIO Action Setup\VAServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\Windows\system\E_SRCV03.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Isn't there a site where you can have your hijackthis-log checked? There is one in german, so I'm sure there's one in english too. It would be a good first thing to do instead of filling up forums with these logs.

After a VERY brief look at your log-file, I would say it's more or less clean. The problem isn't the spyware/adware/pornware/virus/backdoor etc etc, the problem is YOU, the user.

If you really need to use the Internet Explorer, get familiar with its security-options. A PC doesn't fill up with spyware "just like that" after it is connected to the internet.

Try to use Mozilla/Firefox or something similar and see if the "pollution" stops.

Also a virus scanner cannot protect you if you just download and run about everything you see on a website.


Michael

Harsh but fair I think.

My appologies if this is an inapropriate post for this forum. I have had help with my own pc from here in the past and thought this was a good place to start. I'll google search for somewhere to post this log, but if anyone has any suggestions or sites to recommend they would be much appreciated.

I am well aware that spyware doesn't just jump onto a pc and that most of it is in fact stuff that people have asked to be downloaded, however a lot of it does so through less than obvious means. Unfortunately the problem is not me the user it's my parents the users (I did point out it was their machine) and they are unfortunately not as up to speed with computing issues as some people. As I said they didn't even have any virus protection, simply because they didn't realize that they should, or even what virus protection was.

Thanks for your brief look, but there definitely is spyware on there, because as soon as the internet is connected I get a handful of "fake" dialog boxes asking me to visit security and adult sites aswell as poups requesting I install toolbars before the computer grinds to a complete halt.

Cheers anyway, as I said I'll find somewhere more appropriate to post, i didn't mean to cause offence.

I know this problem.


Could it be that you're talking about the messenger service? And did you experience the crash of your PC also when you where offline? Test it. Could be a driver or hardware problem.

http://www.itc.virginia.edu/desktop/docs/messagepopup/



ActiveX, for an example. You should check if it is activated on your parent's PC. This site is about dialers, but the problem is the same:

http://www.emsisoft.com/en/kb/articles/tec041212/

Problem is: with a "secure" IE, you will have difficulties using certain websites. That's where you should use the "trusted zone". Or, easier, use a different browser instead as suggested above.

I didn't mean to be harsh, it's just that the questions are always the same and people don't read the sticky threads.




Michael

Thanks very much, you were right it is the messengerservice I'll get that turned off for starters.
There's also something to do with installing a toolbar. I can't remember the name, but it has what appears to be an install file on c: that keeps regenerating when I delete it. There's a registry entry that adaware cannot remove and/or keeps regenerating, again I can't remember the name of it but it's three letters followed by a the word "bar." The last thing is that after a few minutes once I try to connect to the internet I get a window saying something like "your pc will shutdown in 45 seconds. This has been authorised by NT_______ ..." Again I can't remember the details. I really need to get them. Sorry for the vagueness, I'll get all the details next weekend and try to post if you'd be happy to take a look?

I understand regarding people posting the same old stuff time and again. I feel really bad for posting to be honest cos I know you guys give up your free time to help us lowly folk that really don't have a clue about the detailed workings of a pc. But you can certainly be sure that we're all very greatfull for it.

Cheers very much again

Phil

Turnip. This is an appropriate place to post . That is why this forum was set up in the first place, to help people who are having problems.
Personally I do not trust the online hijackthis log scanners as they do not give enough direction and have too many false positives.
Although I see nothing in your log either it could well be hidden somewhere.
If you have anything disabled in msconfig, re-enable it and reboot and post another log.
Does 98 have messenger?
You are also running an out of date hijackthis. Update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.

Thanks also Crunchie. I'll grab an updated hijack this and follow your directions too.

You mentioned win 98 not having messenger. The laptop originally had 98 but has also had xp installed. During boot up there is an option for which to use and win 98 still works fine, it is just in xp that the problems occur. I noticed the hijack this log says windows 98, but I thought I ran it while using xp, maybe I'm wrong though. I grabbed the log in a hurry before I left my parents last night, which is why I don't have the details for the other problems on the system. I'll get some more detailed info when I visit them again next weekend.

Thanks

Phil

Try it in safe mode (hit F8 during startup). And yes, you have to run HijackThis under Windows XP to get track of the spyware installed there.



I think Blaster gave you a minute, so it must be Sasser. You should install either Service Pack 2 on your Windows XP system or the following 2 patches:

Blaster-Patch =>

http://www.microsoft.com/downloads/d...displaylang=en


Sasser-Patch =>

http://www.microsoft.com/downloads/d...displaylang=en



You MUST either install SP2 or these 2 patches before connecting a Windows XP system to the internet!

Best thing to do would be probably to reinstall the whole system, then update it with all the latest patches including SP2, then get rid of IE except for Windows Update and also install a decent antivirus software like AVG 7.0 FreeEdition.



Michael

Hey Turnip, you may want to have your parents read this as it's kind of related:

http://www.daniweb.com/techtalkforums/thread16365.html

You can find Hijackthis tutorials at these sites (and more if you do a google search):

http://hometown.aol.co.uk/jrmc137/hj...l/tutorial.htm
http://hjt.wizardsofwebsites.com/
http://www.bleepingcomputer.com/foru...howtutorial=42
http://www.spywareinfo.com/~merijn/htlogtutorial.html

By the way, I don't see anything bad in that log either, but since XP is where you are having problems, that is where you need to scan with HJT.

Micheal
Dead right again. Checked out the sasser worm on trendmicro and it has exactly the same dialogue boxes as I'm seeing on the laptop, with the "LSA shell has encountered a problem" message and the "system shutdown" message.

You are obviously on a roll

Thanks
Phil