Slow Laptop - Hijack this post

[tiesworth1]

Logfile of HijackThis v1.99.1
Scan saved at 12:57:11 PM, on 2/28/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\SSOL\MRXOJO.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Lqafajo] C:\PROGRAM FILES\SSOL\MRXOJO.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [WL32DLL] C:\WINDOWS\SYSTEM\WL32DLL.EXE
O4 - HKCU\..\Run: [ILS] C:\WINDOWS\SYSTEM\ILS.EXE
O4 - HKCU\..\Run: [WIAVUSD] C:\WINDOWS\SYSTEM\WIAVUSD.EXE
O4 - HKCU\..\Run: [MSWMDM] C:\WINDOWS\SYSTEM\MSWMDM.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://education.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: Yahoo! MLB StatTracker - http://aud14.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab

[tiesworth1]

any idea's?

[mkda]

did u run any spyware scanners, such as spybot, spyware doctor, adaware?

this file is suspicious:

C:\WINDOWS\SYSTEM\MPREXE.EXE

read the article:

http://www.auditmypc.com/process/mprexe.asp

[jaguar]

If ur running on low RAM maybe adding more will speed things up. Also checked ur HDD space? free space? try cleaning out the temporary files and recycle bin etc and run the disk defragmenter, it will help improve speed esp if you havent in a long time.

[birdman]

O4 - HKCU\..\Run: [WL32DLL] C:\WINDOWS\SYSTEM\WL32DLL.EXE
O4 - HKCU\..\Run: [ILS] C:\WINDOWS\SYSTEM\ILS.EXE

Those are the only ones I saw that might be trouble.the one on top i cannot find any info on.the next i know is a bad guy..

[guestolo]

C:\WINDOWS\SYSTEM\MPREXE.EXE
is safe

Can you do us a favor please, I want to see what one entry is related too
Go to either of these links
http://virusscan.jotti.org/
or
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to this file on your hard disk
C:\PROGRAM FILES\SSOL\MRXOJO.EXE <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

Do the same for these ones if found
C:\WINDOWS\SYSTEM\WL32DLL.EXE
C:\WINDOWS\SYSTEM\ILS.EXE
C:\WINDOWS\SYSTEM\WIAVUSD.EXE
C:\WINDOWS\SYSTEM\MSWMDM.EXE

EDIT>>You may have to show hidden files and folders
* Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.
    * Click Start, Programs and Accessories and open Windows Explorer.
    * Select a hard drive from the left hand side of the Windows Explorer window.
    * Select View the Entire contents of this drive.

[tiesworth1]

hi

i couldn't find c:\programfiles\ssol\mrxojo.exe on my computer, even after i showed hidden files.  this is the closest file i could find matching that name:

File:  MRXOJO.LGC  
Status:  OK  
MD5  3429c9f3c66499dc284e29233f69b030  
Packers detected:  -


here are the results of the other files scanned:

File:  WL32DLL.DLL  
Status:  OK  
MD5  bb0b9bc2b29a999211bf1b7c7d31ada5  
Packers detected:  -

File:  ILS.DLL  
Status:  OK  
MD5  bc462c856e7b61086a522cb295318f1e  
Packers detected:  -

File:  WIAVUSD.DLL  
Status:  OK  
MD5  d876ad6a135774d69062ae9abefb1d7d  
Packers detected

File:  MSWMDM.DLL  
Status:  OK  
MD5  5016f19b15f5d4c90b177ecbdaede51e  
Packers detected:  -

[guestolo]

You scanned the wrong files
Careful, make sure your looking at the right ones, or they don't exist

You scanned
MRXOJO.LGC
WL32DLL.DLL
ILS.DLL
WIAVUSD.DLL
MSWMDM.DL

I wanted you too scan if found
MRXOJO.EXE
WL32DLL.EXE
ILS.EXE
WIAVUSD.EXE
MSWMDM.EXE

Notice you scanned .dll files
I was after .exe files
Malware try to disguise as legit files

Do the following please
Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM218.DLL (file missing)
O4 - HKLM\..\Run: [Lqafajo] C:\PROGRAM FILES\SSOL\MRXOJO.EXE

O4 - HKCU\..\Run: [WL32DLL] C:\WINDOWS\SYSTEM\WL32DLL.EXE
O4 - HKCU\..\Run: [ILS] C:\WINDOWS\SYSTEM\ILS.EXE
O4 - HKCU\..\Run: [WIAVUSD] C:\WINDOWS\SYSTEM\WIAVUSD.EXE
O4 - HKCU\..\Run: [MSWMDM] C:\WINDOWS\SYSTEM\MSWMDM.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://education.dellnet.com/ (file missing) (HKCU)

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Rebooot the computer

Back in Windows
Find and delete this file please if found
c:\counter.cab <-this file

Post back a fresh hijackthis log afterwards
Also, did you find this folder
c:\programfiles\ssol
What other files were in that folder?

[tiesworth1]

here is the most recent hijackthis log.  highjack this made a backup copy of some files after i fixed, do i need to keep them?  there is a backup folder on my desktop now.

i could not find any of the files that ended in .exe.  

there was nothing in the ssol folder.  

ogfile of HijackThis v1.99.1
Scan saved at 10:07:54 PM, on 3/6/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://education.dellnet.com/
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab

[guestolo]

Just an orphan entry to cleanup

With all other windows closed have hijackthis fix checked this entry

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

How's everything on your end?
If you don't have them installed, I suggest you run both Ad-Aware SE Personal and Spybot 1.4 on this machine
You know about them so I shouldn't need to link you
But if you need the links, let me know

If everythings running better
I would clear the System restore points on this machine too
Here's the instructions
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Make sure to reenable System Restore after the reboot
Clean those temp files
If you haven't ran the Disk Defragment utility in awhile on this machine
Now would be a good time, best probably done in safe mode

I linked you too SpywareBlaster 3.5.1 in your other post
I would use it on this computer too
Also, use the Immunization feature in Spybot

I don't see Firewall protection
If you need a free firewall, check out This Link
ONLY install one, more than one can and will cause conflicts
but you should make sure to have one installed

Also, your behind on Windows Updates
Use Internet Explorer, click on TOOLS.>Window Updates
Scan for Updates
Install all Critical Updates and Service packs
Reboot when prompted, you will not be able to install them all at once
Revisit after reboot until you have them all>>>Criticals
Let me know how things are running please

[tiesworth1]

things seem to be running smooth.  thanks for everything.  any others ways to get more speed?