Can't remove Porn on PC+Hijack This Log

Hi,

I have a client running Win98SE. Since her son went to a porn site her pc freezes and Mega Porn Downloader pops up, this only happens once she has connected to the Internet.

I have tried Adaware SE and Spy Sweeper and both programs remove Spyware/Adware, but as soon as the pc connects to the Net, it all comes back.

Below is the log. I know last resort is format reload.

Tnx
Ari

Logfile of HijackThis v1.98.2
Scan saved at 6:04:14 PM, on 9/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE
C:\WINDOWS\APPLICATION DATA\HCUS.EXE
C:\PROGRAM FILES\PINNACLE\STUDIO DV PLUS\EREGISTER\REMIND32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NIKON\NKVIEW5\NKVMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE"
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Roaa] C:\WINDOWS\Application Data\hcus.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKCU\..\RunServices: [Roaa] C:\WINDOWS\Application Data\hcus.exe
O4 - HKCU\..\RunServices: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Pinnacle Systems - Studio Family.lnk = C:\Program Files\Pinnacle\Studio DV Plus\ERegister\Remind32.exe
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} (HttpDownloader Control) - http://www.instantplugin.com/SexDownloader.cab

seems the only way is to reload.

Is it that bad?

Does anyone else have a solution besides formatting my clients PC?

Not really. Start with a clean slate. No residual crap to clog the system.

Since it's running 98, I would assume it's had the same OS for years, which makes it a good candidate for format/reinstall even if it's never been on the 'net. If Googling for spyware apps doesn't give you enough to get rid or all of them within two or three utilities, then reinstalling might be the only workable solution.

Be sure to try and run them (antivirus and antispyware) in safe mode too, after disabling as much as you can using msconfig. Some apps avoid detection by knowing what programs will be looking for them and not letting them work properly, or at all.

If there are files that your client absolutely can't live without, use one of your computers with spare drive space. BE SURE you've updated all the defensive applications on the host machine BEFORE doing this, or you'll really have a disappointing situation on your hands.
0. Update ALL your antivirus and antispyware applications and be sure they're running.
1. remove her hard drive and put it into your machine,
2. copy the files from her hard drive to yours,
3. put her hard drive back,
4. format, reinstall,
4a. put good AV and ASW protection on her machine
5. put her drive *back* in your machine,
6. copy her files all in a directory on her brand new desktop.

It's a good idea to delete all windows\temp and temporary internet files before you bother; it saves space and virus detection.

Tnx for the help Zedmelon, I formatted the PC 6 months ago, and my clients son decided to try out the porn sites. I'll try Adaware and the other programs in Safe Mode, if that fails, hello fresh re-install

No problem. One last thought:

For clients who don't bother to get their kids their own computer (this scenario is the perfect example of how an old, reworked PentiumII for $150 is such a bargain for parents), you can install one of the multiuser OSes, most likely XP home.

Give the parent an admin account (with password protection), and create a general account(s) for the kid(s). With the lesser privileges, malware has a smaller chance of installing itself as a startup application.

Even better in some cases, demote the parent's account as well, and just tell them to use the admin password when they have to install their new Kodak software or a new game. Of course, this will be a royal pain (and you'll hear about it) if you omit anything they'll need like Quicktime, Java extensions, Flash, Acrobat Reader, etc.

To be honest, given all the crap on the machine, I would also recommend a reformat.

Then install SPYBOT Search and Destroy, not Adaware or SpySweeper. Then install Grisoft.com's AVG (anti-virus software...you can download a free version...it is fantastic and takes up a lot less real estate than Norton or McAfee).

Spybot can be set to "immunize" the system against most future spyware/malware crap.

Agreed, except I'd recommend using Ad-Aware in conjunction with SpyBot (but I prefer SpyBot if you're only using one). I've seen each catch things the other missed. I've never tried SpySweeper.

I also recommend adding Spywareblaster as a preventative measure.

If I understand this correctly, someone is paying you to fix their computer and you want someone to spend a hour or two to fix it for you?

Please correct me if I misunderstand...

Tom

Hi, you are correct that someone is paying me to fix their pc, but you are incorrect in thinking I want someone to fix it for me. All I am requesting is some assistance, since the usual programs I use-Ad Aware etc do not remove the specific Spyware installed on the pc.