Last year my laptop started having pop-up issues. Then it refused to connect to the internet. I started using my desktop but, must now get the laptop back into service.

Verizon DSL tech support could not solve it and, I'm trying system restore but, system restore (to 9/06) has been running for 12 hours so, I don't know if that will be successful.

An older version of HiJack This is on the laptop - I can run it, save to a disk, transfer to my desktop and e-mail to D-A-L for analysis. Will that be helpful to solving this problem? Any other suggestions?

I'm running a IBM Thinkpad with Windows ME.

Thank you,

Bruce

Attached is the Hijack This logfile related to the laptop from the previous e-mail message. Anything I should deal with?

Thanks,
Bruce


Logfile of HijackThis v1.99.1
Scan saved at 5:12:57 PM, on 9/18/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\THINKPAD\EASY LAUNCH BUTTONS\TPHKMGR.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\DAEMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ELITEPCP32.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWFX5NETINSTALLER.EXE
C:\PROGRAM FILES\AIRLINK101\AWLC5025\AWLC5025.EXE
C:\WINDOWS\SYSTEM\OMDSREGS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enterthesearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enterthesearch.com/sp2.php
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\THINKPAD\EASYLA~1\TPHKMGR.EXE
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] daemon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [tvs_b] c:\Program Files\tvs\tvs_ln.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\SYSTEM\ELITEPCP32.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWFX5NETINSTALLER.EXE"
O4 - HKLM\..\Run: [InvokeSvc.exe] C:\Program Files\Airlink101\AWLC5025\AWLC5025.exe
O4 - HKLM\..\Run: [{91-16-6E-EF-ZN}] C:\WINDOWS\SYSTEM\OMDSREGS.EXE DO0605
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM\NTDEVNEX.EXE DO0605
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\ETB\POKAPOKA79.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM\zsysuz.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM\ntdevnex.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Chinese Navigation - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\CDN\CDNIEHLP.DLL
O9 - Extra 'Tools' menuitem: Chinese Navigation - {35980F6E-A137-4E50-953D-813BB8556899} - C:\PROGRA~1\CNNIC\CDN\CDNIEHLP.DLL
O12 - Plugin for .fpx: C:\PROGRA~1\INTERN~1\PLUGINS\NPRVRT32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://navigatela.lacity.org
O16 - DPF: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} (Verizon Broadband Toolbar) - http://www2.verizon.net/micro/vol_toolbar/vzbb.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://navigatela.lacity.org/download/mgaxctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 68.238.0.12,68.238.112.12

See if you can save these tools to disk on uninfected computer and bring to infected computer.

The first link is for hopefully restoreing internet connection.


http://digital-solutions.co.uk/lavasoft/whndnfix.zip



Try to save this to disk if no internet connection if connection run the tool also.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:


This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.



If you get internet connection back run this tool as an internet connection is required for it to work properly:


Please download LQfix.exe from one of the following locations:

http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exe

Save it to your desktop.

• Double-Click LQfix.exe and click Next > Next > Install.
• Leave the default settings, if you change them, the fix will Fail!
• You need an active internetconnection, so make sure your you're not blocking any connection now.
• Now make sure the "Launch LQfix" box is checked.
• Click the Finish button, after clicking the Finish button the fix will start.
• Follow the on-screen prompts.
• Your system will reboot afterwards.
• Please be patient after the reboot, there is a script running in the background that needs to complete.

Then do a scan with HJT and post a new log by using Add Reply


You can also save to disk the new version of hijackthis at the top of this forum where it says "read this first"


Good luck

Neal,

Thanks. I'll attempt your suggestions. Is there anything in the HJT log that indicates a problem?

Yes there is but always best to use automated tools first then manually go after any left overs.

Neal,
I downloaded whndnfix.zip to a floppy and have it extracted on the floppy. Do I run it from the "A" drive or, does it have to run from a file on the main "C" hard drive?