I recently followed previous postings on how to remove Twink64.exe, CoolSearch, etc as well as what to remove from othe HijackThis logs but the majority of items on my log were never mentioned. Could someone go over what I have and tell me what can/should be deleted? Also, does anyone know what Simple Toolbar and WexTech AnswerWorks are? I can't get Simple Toolbar to uninstall and I have no idea what the WexTech thing is.

Thanks,
Lauren

Hijack log proceduced in safe mode:

Logfile of HijackThis v1.99.0
Scan saved at 10:36:30 PM, on 2/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\LAUREN\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\SYSTEM\SPM1316.DLL
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\NOTFI.DLL
O2 - BHO: Name - {90615F85-1106-428B-928A-9E119500B8DF} - C:\WINDOWS\SYSTEM\MSGKT.DLL
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [qjjmxztm] C:\WINDOWS\SYSTEM\wketxg.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [process.exe] C:\WINDOWS\process.exe
O4 - HKLM\..\Run: [AuthConsoleStart] C:\Program Files\Cox\Applications\\app\AuthStart.exe
O4 - HKLM\..\Run: [Brong32] forces_elite.exe
O4 - HKLM\..\Run: [abrek] NopeZ.exe
O4 - HKLM\..\RunServices: [BCDetect] bcdetect.exe defer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [CurtainsSysSvc] C:\Program Files\Cox\Applications\app\AuthSL.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O4 - HKCU\..\Run: [winxpdll32.exe] C:\WINDOWS\SYSTEM\winxpdll32.exe
O4 - HKCU\..\Run: [cmsound] c:\windows\openstre.exe
O4 - HKCU\..\Run: [jopplerg] 321102.exe
O4 - HKCU\..\Run: [killall] TorontoMail.exe
O4 - HKCU\..\Run: [hyandex] prcmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: ChxInit.lnk = C:\Program Files\ADS Technologies\Channel Surfer TV\ChxInit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: tœ†5�òÏTÆR - {819D6019-0F91-4F61-819C-52B927E9A705} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
O21 - SSODL: eplrr9 - {695D689C-DBB6-4BF1-9E52-A1AEAC2A0F1C} - C:\WINDOWS\SYSTEM\mspdnx.dll

We need the complete file.
Please see How to post your Hijackthis log-files.

Sorry. Here it is.

Attached Files

hijackthis.txt (3.9 KB, 3 views)

Where have you been surfing?

Boot in Safe Mode.
Uninstall anything to do with:
C:\Program Files\Crystal Ball\CB Predictor\terminator.exe
C:\Program Files\ADS Technologies\Channel Surfer TV\ChxInit.exe

Press ctrl/alt/del and in Taskmanager try to STOP all the xxx.exe from the O4 - group below.

Next, run HJT on its own and let it 'fix' (if there):
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\SYSTEM\SPM1316.DLL
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\NOTFI.DLL
O2 - BHO: Name - {90615F85-1106-428B-928A-9E119500B8DF} - C:\WINDOWS\SYSTEM\MSGKT.DLL
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [qjjmxztm] C:\WINDOWS\SYSTEM\wketxg.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [process.exe] C:\WINDOWS\process.exe
O4 - HKLM\..\Run: [Brong32] forces_elite.exe
O4 - HKLM\..\Run: [abrek] NopeZ.exe
O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O4 - HKCU\..\Run: [winxpdll32.exe] C:\WINDOWS\SYSTEM\winxpdll32.exe
O4 - HKCU\..\Run: [cmsound] c:\windows\openstre.exe
O4 - HKCU\..\Run: [jopplerg] 321102.exe
O4 - HKCU\..\Run: [killall] TorontoMail.exe
O4 - HKCU\..\Run: [hyandex] prcmon.exe
O4 - Startup: ChxInit.lnk = C:\Program Files\ADS Technologies\Channel Surfer TV\ChxInit.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: tœ†5�òÏTÆR - {819D6019-0F91-4F61-819C-52B927E9A705} - C:\WINDOWS\SYSTEM\QWSXP.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
O21 - SSODL: eplrr9 - {695D689C-DBB6-4BF1-9E52-A1AEAC2A0F1C} - C:\WINDOWS\SYSTEM\mspdnx.dll

When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

Then start using Firefox (www.getfirefox.com) instead of IE.
You could also uninstall this Comcast stuff (Cox popupstopper) because Firefox has one of the best popupstoppers built-in.
Use IE only for Windows98-updates (if still available).

Thank you for your help. However, I did have one problem. When I went to delete NTOSV.DLL it said that the file could not be deleted - specified file is being used by windows. The only thing I had running in the task manager was Explorer. It would let me delete NTOSV.DLL.conf and NTOSV.DLL.LGC. Other then that everything else seems to be cleaned up or removed.

I stopped using IE last month and had switched over to Firefox. I don't recall going to any random websites so I don't know how all of that crap got on my computer in the first place before the switch. Thanks again.

Go get DrDelete here:
http://www.docsdownloads.com/Tier1/dr-delete.htm

This can delete in-use files.

What about the original Simple Toolbar and WexTech AnswerWorks? Are they still there?

When I tried to use DrDelete it couldn't find NTOSV.DLL, I didn't see it in the wondows/system directory either so it must have gone away after I restarted. I got WexTech to go away but the Simple Toolbar is still in the install/remove software part of the control panel. I don't know what file it's linked to.

Can I delete spool.exe, spoolsrv32.exe or scagent.exe? I'm pretty sure they are bad but just wanted to check first. Spool.exe is in the my latest run of HijackThis, I saw spoolsrv32 next to spool in the windows/system directory and I saw Cox block scagent from accessing the internet.

Can you post another HJT.txt as attachment please?
Do NOT delete any of those programs yet.
If they do not show up in the HJT-log, tell us where they are located on your PC.

So I thought I had my computer pretty much cleaned out and then my friend tried to download windows media player and opened the flood gates for a bunch of new monsters. One of them some what broke spybot.....I get the error "Error during check! Z-Demon (Ungultiger Datetyp fur ") and now also have a giant warning that I'm in Danger as my background....awesome.

Here's the new log file you wanted. The spool.exe and spoolsrv32.exe are in the log. Scagent.exe isn't in there and I can't find it any where so Cox must have killed it. SimpleToolbar is still in the add/remove software part of the control panel and I have no idea where it's coming from.

Hellooohhh?

What log?

It was attached, I swear.

Attached Files

hijackthis4-1.txt (2.4 KB, 3 views)

Boot in Safe Mode.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
runonce.exe
spools.exe

Next, run HJT on its own and let it 'fix' if there:
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Shellspl] spools.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

When done, delete the highlighted bold files.
Boot normal.