Hey guys,

We got infected with the Fastsearch:cc hijack virus last week, we think through our Outlook Express program. I’ve been reading your postings here and have downloaded and run CWShredder (God bless Merijn) and it seems to have removed all the main bugs. Our problem is that the system still seems really unstable-applications take forever to load, when my little girl tries to run her computer game the d: drive isn’t recognized,, we can’t even connect because our ISP times out before it loads, and I even have to turn the comp on and off several times to get Windows to load.. I ran Hijackthis yesterday and am posting the log. Could someone please take a look at it and tell me if there’s anything fishy on there? We don’t have instant messenger or any type of recording software downloaded (that we know of). If there are things that are safe to remove (like the Yahoo chat stuff, which I think we’ve used maybe twice) I’d like to get rid of it, too.

Thank you so much. You guys are awesome.

Missy A.

Logfile of HijackThis v1.97.7
Scan saved at 3:24:41 PM, on 12/16/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\WASHER\WASHER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\U.S. ROBOTICS INTERNET CALL NOTIFICATION\CALLWAITING.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\DIETPOWER\DIET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O4 - Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37964.8326851852
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = xodus.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = ÙÏ
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.2.7.33,24.2.7.34,207.217.120.83,207.217.77.82

That's a clean log.

You'd do well do perform some maintenance though:

Shut down Internet Explorer and Outlook Express.
Go to Control Panel/Internet, and clear your temporary Internet Files.
Click on Settings/show files, and delete all cookies there.
Also clear your History.
Go to the 'Content' tab, click 'Autocomplete', and clear your forms and passwords cache.

Now go to the Advanced tab, and click Restore Defaults.
Go to the Security tab > Internet, and click restore defaults there as well.

Empty the ENTIRE contents of your Windows\Temp folder, and empty your recycle bin.

Also disable unneeded stuff from Startup:

Go to Start > Run > Msconfig, uncheck everything unneeded from the Startup tab.
Here's a good reference list with info about what to leave, and what to uncheck: http://www.sysinfo.org/startupinfo.php

And do the following:

And restart your computer using the Windows Me emergency startup disk.
Use the arrow key on your keyboard to select Start Computer Without CD-ROM Support , and then press ENTER.
At the prompt type scanreg /fix , and then press ENTER.

The Scanreg tool will now proceed to rebuild, compact, and repair your registry, which can take some time
When it's done, remove the boot disk, and type 'exit' or 'win' , followed by pressing Enter (or do a Ctrl-Alt-Delete) in order to reboot into Windows)

_________________
Tony CLSID List

... and I'd almost forget:

Tou NEED to upgrade to IE 6.0 SP1.
Next, go to the Windows Update site, and download and install ALL security patches on offer, especially the Cumulative updates for IE and OE, and the Java/VM update.
That will fix innumerable bugs, update a large number of important shared system files, and plug many security holes.

That may also make a huge difference.

_________________
Tony CLSID List

I will do it and will follow up with the results.

Thank you so much, Tony. I really appreciate you guys!

One last question, Tony. (Well, actually two...)

Do you have any idea what could be making the system so unstable? Could the virus have damaged something? (When we had it, it kept popping up with a kernel32.dll error message.)

Also, we still have the Me CD's, but we don't have the Me emergency startup disk. Could I find this online anywhere?

Any direction would be appreciated. Thank you again.