TheTechGuide Forum

General Category => Tech Clinic => Topic started by: meelox on January 06, 2005, 02:02:57 AM

Title: new post ..because other so long
Post by: meelox on January 06, 2005, 02:02:57 AM

sorry ... I am learning so much. I didn't realize I didn't log in.
I did all that you told me to do and here are the results:

NEW DLL LOG from DLL compare:
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

986 items found:  986 files, 0 directories.
Total of file sizes:  186,847,303 bytes    178.19 M

--------------------End log---------------------

NEW LOG from HIJACK THIS !:
Logfile of HijackThis v1.99.0
Scan saved at 12:51:30 AM, on 1/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\BUG KILLERS\HOSTER\HOSTER.EXE
C:\BUG KILLERS\HOSTER\HOSTER.EXE
C:\WINDOWS\CLIPBRD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVXNL32.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

do you need the hoster log file

Title: new post ..because other so long
Post by: guestolo on January 06, 2005, 02:14:15 AM

No, but I need to see the log from find.bat
We still have some cleaning to do, please take the time to run one

You will notice on the last thread

Your log looked like this

- Strings.exe Qoologic Results ------------

C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
C:\WINDOWS\yuqpoz.dll: updates.qoologic.com
C:\WINDOWS\zuaqwm.exe: updates.qoologic.com
------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
C:\WINDOWS\yuqpoz.dll: updates.qoologic.com
C:\WINDOWS\zuaqwm.exe: updates.qoologic.com

I edited out the long line that followed after ncoget.dll to fit in this screen, could you do the same please, thanks

Title: new post ..because other so long
Post by: meelox on January 06, 2005, 02:20:54 AM

will do...

Title: new post ..because other so long
Post by: meelox on January 06, 2005, 02:47:11 AM

I hope I did that right, I only seen that one huge file, with every url known to man



 ------- System Files in System Directory -------
 

 Volume in drive C has no label
 Volume Serial Number is 2435-13D6
 Directory of C:\WINDOWS\SYSTEM

HPLOFHAS EXE       385,024  11-04-04  6:27p hplofhas.exe
         1 file(s)        385,024 bytes
         0 dir(s)        8,658.28 MB free
 
 ------- Hidden Files in System Directory -------
 

 Volume in drive C has no label
 Volume Serial Number is 2435-13D6
 Directory of C:\WINDOWS\SYSTEM

FOLDER   HTT        13,122  12-26-04  5:32p folder.htt
DESKTOP  INI           266  12-26-04  5:32p desktop.ini
E_QI021E GID         8,628  12-03-04 11:24p E_QI021E.GID
HPLOFHAS EXE       385,024  11-04-04  6:27p hplofhas.exe
CTF            <DIR>        08-31-04  2:08p CTF
HPHIPCL  GID        30,367  05-22-04  2:46p hphipcl.GID
HPFUIH05 GID         8,628  02-12-04 12:12a hpfuih05.GID
         6 file(s)        446,035 bytes
         1 dir(s)        8,658.27 MB free
 
 ---------------- User Agent ------------
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{21A21720-5D09-11D9-B700-B4AC6A7A4D1F}"=""

 
 ------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
   folder.htt     Sun Dec 26 2004   5:32:30p  ...H.         13,122    12.81 K
   desktop.ini    Sun Dec 26 2004   5:32:30p  ...H.            266     0.26 K
   e_qi021e.gid   Fri Dec  3 2004  11:24:28p  A..H.          8,628     8.43 K
   hplofhas.exe   Thu Nov  4 2004   6:27:16p  ..SHR        385,024   376.00 K

4 items found:  4 files, 0 directories.
   Total of file sizes:  407,040 bytes    397.50 K
 
 ------------ Strings.exe Qoologic Results ------------
 
C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
C:\WINDOWS\yuqpoz.dll: updates.qoologic.com
C:\WINDOWS\zuaqwm.exe: updates.qoologic.com
 
 -------------- Strings.exe Aspack Results -------------
 
C:\WINDOWS\aukvby.dat: .aspack
 
 ----------------- HKLM Run Key ------------------
 
 -------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXNL32.EXE"

 


Title: new post ..because other so long
Post by: guestolo on January 06, 2005, 03:33:32 AM

Okay, we still have some work to do, some files I don't recognize right now
I probably won't see your reply until I get off work tomorrow so try and do what you can

Again from the last instructions save this to a Notepad file and leave it open
Disconnect from the Internet

Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\opnabu.dll

Press the button with a red circle and a white X (Delete File)
When asked if you would like to Reboot, select No.

Do the same for all these:

C:\WINDOWS\yuqpoz.dll

C:\WINDOWS\aukvby.dat



Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\zuaqwm.exe

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Your computer should restart
When back in Windows

Open Hoster and and click on "Restore Original Hosts"

Follow my instructions from the previous post if you lose Internet connection
We can still clean that out at a later time

I see your not running any Anti-Virus software
Can you please download
AVG Free (http://\"http://free.grisoft.com/doc/1\")
Install it and let me know if it will run, if it will can you let it update and run a full system scan

We may still have some cleaning to do with findit.bat

As I mentioned, I won't see your reply until tomorrow
Can you do as much as you can, rebooting minimally, if at all, except after using Killbox
We should eventually get you clean and running smooth. You have a few infections to get rid of first.....

By the way, don't try and touch these entries
with any version of Hijackthis
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
That is what LSP fix is for if we need it

Post back one More Hijackthis log and a log from Find.bat, I know the scan from find.bat takes awhile but we need it for this infection until an automatic fix is developed.......

Title: new post ..because other so long
Post by: meelox on January 06, 2005, 03:40:31 AM

okay... it is late here ..but I will leave computer as is, after i do your latest instructions, with out internet access ....thanks you so so much!
I have to get up at six .. but I will post back the results ...thanks so much...Meelox

Title: new post ..because other so long
Post by: meelox on January 07, 2005, 01:40:15 AM

Hey Guestolo,
   I had to work tonight but here is what i have done (not much):
downloaded AVG ran the updates, scan my system it got rid of som files that were on my computer (but i could find anyway to copy what it did other than Screen capture...which i did) but I am not sure how to post .jpg files in this forum.
 One thing that AVG did was remove those aklsp.dll's (no longer in hijack log)
I tried to return to the net but "no internet connection" so I did the LSP thing you told me to do. That did not help..as the file was already removed by AVG.
I tried to repair internet explorer and it said corrupt file download and re-install, I had a copy of it on my computer (from a few months back) so I reinstalled. That worked.
I also tried to delete somethings to the recycle bin but when connection was lost I restored all that I had deleted. Seems I am not much without you!
Here are my latest log files... I know its late so post when you can, if you can..
Meelox

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

980 items found:  980 files, 0 directories.
Total of file sizes:  187,705,513 bytes    179.01 M

--------------------End log---------------------

Logfile of HijackThis v1.99.0
Scan saved at 11:28:23 PM, on 1/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVXNL32.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -



Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.
 
 ------- System Files in System Directory -------
 

 Volume in drive C has no label
 Volume Serial Number is 2435-13D6
 Directory of C:\WINDOWS\SYSTEM

HPLOFHAS EXE       385,024  11-04-04  6:27p hplofhas.exe
         1 file(s)        385,024 bytes
         0 dir(s)        8,584.16 MB free
 
 ------- Hidden Files in System Directory -------
 

 Volume in drive C has no label
 Volume Serial Number is 2435-13D6
 Directory of C:\WINDOWS\SYSTEM

FOLDER   HTT        13,122  12-26-04  5:32p folder.htt
DESKTOP  INI           266  12-26-04  5:32p desktop.ini
E_QI021E GID         8,628  12-03-04 11:24p E_QI021E.GID
HPLOFHAS EXE       385,024  11-04-04  6:27p hplofhas.exe
CTF            <DIR>        08-31-04  2:08p CTF
HPHIPCL  GID        30,367  05-22-04  2:46p hphipcl.GID
HPFUIH05 GID         8,628  02-12-04 12:12a hpfuih05.GID
         6 file(s)        446,035 bytes
         1 dir(s)        8,584.14 MB free
 
 ---------------- User Agent ------------
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{21A21720-5D09-11D9-B700-B4AC6A7A4D1F}"=""

 
 ------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
   folder.htt     Sun Dec 26 2004   5:32:30p  ...H.         13,122    12.81 K
   desktop.ini    Sun Dec 26 2004   5:32:30p  ...H.            266     0.26 K
   e_qi021e.gid   Fri Dec  3 2004  11:24:28p  A..H.          8,628     8.43 K
   hplofhas.exe   Thu Nov  4 2004   6:27:16p  ..SHR        385,024   376.00 K

4 items found:  4 files, 0 directories.
   Total of file sizes:  407,040 bytes    397.50 K
 
 ------------ Strings.exe Qoologic Results ------------
 
C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.rson.net,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
 
 -------------- Strings.exe Aspack Results -------------
 
 
 ----------------- HKLM Run Key ------------------
 
 -------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGAMSVR.EXE"
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXNL32.EXE"

 


Title: new post ..because other so long
Post by: meelox on January 07, 2005, 01:41:39 AM

One more thing I ran an updated AVG complete scan tonight and it found nothing! Yeah!

Title: new post ..because other so long
Post by: meelox on January 07, 2005, 02:03:56 AM

I also wanted tell you that I have re-installed IE several times this week...using a file that I downloaded from the microsoft web just this week..when i do the critical updates I get an error message on reboot ..that says a file is missing (can't remember the file name) and then I can't open my mail in outlook express, error message in mmsie.dll or something like that. Sorry I know you need to know the exact name but I am afraid to do the critical updates until i here from you..afraid I will lose net connection again. When I try to repair IE from control panel I get a message saying the file is corrupt and i need to re-install.
That the reasons I used the old file that I already had on my computer from months ago to reinstall IE. This install is working for now but still no critical updates.

Title: new post ..because other so long
Post by: guestolo on January 07, 2005, 02:07:08 AM

We'll try some steps here, just give me a few minutes
Sorry, I meant that in the nicest way  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: new post ..because other so long
Post by: guestolo on January 07, 2005, 02:33:01 AM

Sorry for the wait, company just came over, a short visit, blah blah blah


Good work on updating IE, sorry about getting booted offline
We should of used LSP fix a little sooner

You may of not noticed aklsp.dll in the KEEP side anymore, not sure, if it wasn't there you would simply open LSP fix and click the FINISH button, can't just click the x to close and then restart your computer
Not sure what you tried, but good work anyways
I'd prefer you use the updated IE anyway /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Let's run through this one last time

Save to a notepad file again and leave this open on the desktop


IN Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\ncoget.dll

Press the button with a red circle and a white X (Delete File)
When asked if you would like to Reboot, select No.

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\opnabu.dll

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Your computer should restart
When back in Windows

Open Hoster and and click on "Restore Original Hosts"


If I remember correctly you have Ad-Aware SE Personal 1.05
Can you check for updates with it right now, but don't run a scan yet

Could you also download a couple others please
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Don't run a scan yet

Another great utility to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
A small download, once it's installed
Don't run a scan yet

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVXNL32.EXE


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Open VX2 finder and click to find VX2.betterinternet
on the right hand side click the USER AGENT$ button

If you can, at this time Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")

Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back into Safe mode to finish the cleaning process

Open Spybot---Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer back to safe mode to finish the Cleaning process

Open CleanUp---Click Cleaup and let it scan for files
When it's finished scanning it will prompt you to log off or restart
Please Restart back to Normal mode at this time

msoe.dll is an OE file, let me look into it, we can hopefully get you all back to normal or cleaner
later, I wish we had more time right now
You don't know the exact error do you and dll name?

Do as much as you can from the above and then post back a Fresh hijackthis log

Could you also post a startup list from Hijackthis
Open the Misc Tools Section
Click the "List all minor sections (full)"
Click the Generate startup list

Run another scan with VX2 finder and post a log

And if you could, one last log from find.bat

Sooner or later we have to get you to do Windows updates and also some Preventive tools so this won't happen again

EDIT>>Removed a double posting in part of this reply

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 12:04:44 AM

Hi again... thanks for the post and I don't think I have told you yet how much i appreciate this..you have made my online life pleasant again!

I followed all of your instructions except the find scan again and I will do it next:
here are my log files:
Logfile of HijackThis v1.97.7
Scan saved at 10:55:04 PM, on 1/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

StartupList report, 1/7/05, 10:52:22 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
EnsoniqMixer = starter.exe
EPSON Stylus CX5400 = C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
AVG7_CC = C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[c607b4e0-53ff-11d9-b700-00a0d217d98c] *
StubPath = C:\WINDOWS\zuaqwm.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 7/1/2005, 22:37:22)

[Rename]
NUL=C:\WINDOWS\SYSTEM\auto_update_uninstall.log
NUL=C:\WINDOWS\SYSTEM\auto_update_uninstall.exe
NUL=C:\Program Files\autoupdate\libexpat.dll
NUL=C:\WINDOWS\Desktop\j2re-1_4_2_06-windows-i586-p.exe
NUL=C:\WINDOWS\hosts
NUL=C:\WINDOWS\wplog.txt
NUL=C:\WINDOWS\Favorites\The State cars.com.url
NUL=C:\WINDOWS\Favorites\reverse address .url
NUL=c:\protas.exe
NUL=c:\Program Files\Recommended Hotfix - 421701D\v15\RH.exe
NUL=c:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.15\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.14\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.13\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll
NUL=c:\WINDOWS\SYSTEM\error32.dat
NUL=c:\/windows/downloaded program files/conflict.15/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.14/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.13/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.12/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.11/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.10/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.9/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.8/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.7/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.6/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.5/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.4/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.3/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.1/hdplugin1015.dll
NUL=C:\Program Files\Recommended Hotfix - 421701D
NUL=C:\Program Files\autoupdate

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG7\BOOTUP.EXE
SET BLASTER=A240 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
; --- SB PCI mod --- Device=C:\WINDOWS\himem.sys
Device=C:\DEV\D011v110.sys /D:mscd000

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\WINDOWS\COMMAND\MSCDEX.EXE /D:mscd000 /V /M:12
C:\AUDIOPCI\APINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 8,043 bytes
Report generated in 0.716 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Log for VX2.BetterInternet File Finder (ver126)

Files Found---


User Agent String---


I am going to run the find scan, but I have to leave for about an hour so i will post it back when i get back (i have to pick up my son) can you tell me is there a way I can keep that find.bat on my computer because it deletes when i close it, then i have to download it again everytime. ??? does it always do that?? will be back in a bout an hour.

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 01:13:54 AM

I hope to see your reply tonight  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Can I get you to post a fresh hijackthis log from version 1.99, with the log from find.bat
I don't need a new startup list

Could you also do a search  in your C:\Windows\System folder for
*.dat

When you get the list, find one recently created. Right click on it, open in Notepad and look for this in the first line of the file:
This program cannot be run in DOS mode.
Post back the exact name if you find one

Could you also download Runkey.zip (http://\"http://forums.techguy.org/attachment.php?attachmentid=45168&stc=1\")

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here.

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 01:35:32 AM

First of all, let me say that I found the find.dat on my computer, so I am not loosing it anymore, this time when i closed it it didn't say deleting.

Next I search *.dat, when i ran your post I check several of the last couple of days *.dat files and there was nothing (that I could read) that said "This program cannot be run in DOS mode."

here are the logs you asked for :
Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.
 
 ------- System Files in System Directory -------
 

 Volume in drive C has no label
 Volume Serial Number is 2435-13D6
 Directory of C:\WINDOWS\SYSTEM

HPLOFHAS EXE       385,024  11-04-04  6:27p hplofhas.exe
         1 file(s)        385,024 bytes
         0 dir(s)        8,603.28 MB free
 
 ------- Hidden Files in System Directory -------
 

 Volume in drive C has no label
 Volume Serial Number is 2435-13D6
 Directory of C:\WINDOWS\SYSTEM

FOLDER   HTT        13,122  12-26-04  5:32p folder.htt
DESKTOP  INI           266  12-26-04  5:32p desktop.ini
E_QI021E GID         8,628  12-03-04 11:24p E_QI021E.GID
HPLOFHAS EXE       385,024  11-04-04  6:27p hplofhas.exe
CTF            <DIR>        08-31-04  2:08p CTF
HPHIPCL  GID        30,367  05-22-04  2:46p hphipcl.GID
HPFUIH05 GID         8,628  02-12-04 12:12a hpfuih05.GID
         6 file(s)        446,035 bytes
         1 dir(s)        8,603.27 MB free
 
 ---------------- User Agent ------------
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 
 ------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
   folder.htt     Sun Dec 26 2004   5:32:30p  ...H.         13,122    12.81 K
   desktop.ini    Sun Dec 26 2004   5:32:30p  ...H.            266     0.26 K
   e_qi021e.gid   Fri Dec  3 2004  11:24:28p  A..H.          8,628     8.43 K
   hplofhas.exe   Thu Nov  4 2004   6:27:16p  ..SHR        385,024   376.00 K

4 items found:  4 files, 0 directories.
   Total of file sizes:  407,040 bytes    397.50 K
 
 ------------ Strings.exe Qoologic Results ------------
 
 
 -------------- Strings.exe Aspack Results -------------
 
 
 ----------------- HKLM Run Key ------------------
 
 -------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z
 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGAMSVR.EXE"

 

Logfile of HijackThis v1.99.0
Scan saved at 12:26:48 AM, on 1/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGAMSVR.EXE"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"



thanks.

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 02:00:51 AM

I think we just about nailed everything

Can you do some final checks
Navigate to these files and right click on them and select Properties
Version tab if one
What are they related too
HPLOFHAS EXE
 e_qi021e.gid

they should be in your C:\WINDOWS\SYSTEM\ folder
Do you have an HP Scanner?

Also look for this one
ipebase11.dll in the same folder

and this one
C:\WINDOWS\zuaqwm.exe <--probably a nasty


If unsure what they are can you run them thru this Online Malware scan
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")

Give the link time to load if it's busy

Use the browse button and navigate to these files if you can find them
Right click and select them and then use the Submit button
Wait for the scanner results
Let me know if there found as malware

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 02:11:39 AM

ipebase11.dll   gave me a version tab, it said Hewlett-packard
I used to have a HP printer and scanner (now epson)

this is the answer I got from the link you gave me:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

e_qi021e.gid ...this could be my an epson file most all of the epson files start that way e_ ... but i don't know

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 02:15:38 AM

I'm more suspicious of this one
C:\WINDOWS\zuaqwm.exe

Can you let me know about this one too
hplofhas.exe

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 02:25:11 AM

okay..i must be an idiot(yep) iwas not using the virus scan link that you gave me the right way ... I went back and the HPLOFHAS EXE
is a virus ... I cant even find C:\WINDOWS\zuaqwm.exe  on my computer.

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 02:26:48 AM

Well, let's get some final cleanup on your log

Give me a minute or so and I'll post back

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

 

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\c607b4e0-53ff-11d9-b700-00a0d217d98c][-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\c607b4e0-53ff-11d9-b700-00a0d217d98c]

Double-click on KillBox.exe.
4.Click "Replace on Reboot" and check the "Use Dummy" box.
5.Paste this file into the top "Full Path of File to Delete" box.

   C:\WINDOWS\SYSTEM\hplofhas.exe

6.Click the "Delete File" button which looks like a stop sign.
7.Click "Yes" at the Replace on Reboot prompt.
8.Click "No" at the Pending Operations prompt.

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

  C:\WINDOWS\zuaqwm.exe

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.

Back in Windows Double click on fix.reg and allow it to merge to the registry

Let me know if hplofhas.exe is gone

Could you install this program please
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

Post back a fresh Hijackthis log and a new Hijackthis startup list
Remember to check "List all minor sections (full)"

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 02:48:22 AM

not sure where to find this "Back in Windows Double click on fix.reg and allow it to merge to the registry"


forget that last thing i said , i got it now ...reread the post

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 02:52:43 AM

Can you read the top of my last reply to you  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

EDIT>>Okay, forget what I said here then  /wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 03:05:11 AM

okay here are my new log files :
StartupList report, 1/8/05, 2:02:18 AM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
STRINGS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
EnsoniqMixer = starter.exe
EPSON Stylus CX5400 = C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
AVG7_CC = C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 8/1/2005, 1:46:8)

[Rename]
C:\WINDOWS\SYSTEM\HPLOFHAS.EXE=C:\WINDOWS\TEMP\KBDUMMY.0
=C:\WINDOWS\TEMP\KBDUMMY.1

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG7\BOOTUP.EXE
SET BLASTER=A240 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
; --- SB PCI mod --- Device=C:\WINDOWS\himem.sys
Device=C:\DEV\D011v110.sys /D:mscd000

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\WINDOWS\COMMAND\MSCDEX.EXE /D:mscd000 /V /M:12
C:\AUDIOPCI\APINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 5,662 bytes
Report generated in 0.337 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only

Logfile of HijackThis v1.99.0
Scan saved at 2:02:49 AM, on 1/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE
C:\WINDOWS\NOTEPAD.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 03:17:48 AM

You can have hijackthis fix this entry, no rush on it, it's just a startup left behind from find.bat>>>This entry O4 - Startup: STRINGS.EXE
Just fix it with all other windows closed down
But don't worry about restarting your computer....Shut down when you normally would

You can open Killbox and under Files in the menu bar Delete dummy files

How is everything else running?

Did you get to run ad-Aware, any more problems with Outlook Express, and if so what's the exact error  message

How are you connected to the Internet
High Speed Cable or DSL?
Are you hooked up directly to the modem
I don't see a Firewall running on your system

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 03:18:40 AM

guestolo... don't you ever sleep...what time is it where you are it is 2:16 here. DO YOU GET PAID to do THIS? I hope so! You sure have been a life saver to me...no one and I do mean no one that I know or don't know (until now) would spend this kind of time helping a total stranger. You are the best!

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 03:24:33 AM

Thanks for the kind words Meelox, most ppls. that help on forums are Volunteers

Just something I prefer to do, rather than watch TV
Drives the misses crazy  /rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

If everything is running good you should look into installing these 2 free apps.
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free!


With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Let me know if you need a Software Firewall on your system
I have links to a free one, you only need one

Oh, by the way East Coaster, it's 11:21 pm here in West Canada

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 03:26:52 AM

i am running on cable straight to the modem... firewall, none that i know of.
I have not had any intrusions on the web in the last two days, you stopped that the first day you helped me.

I have not run the critical updates for the IE and outlook is working fine, but I did not get those problems with outlook before (when i reinstalled IE unitl I ran those critical updates) I know I need to do that. So I will be running back to you if something goes wrong.

One more thing that I want to do i uninstalled NERO EXPRESS before we started all of this because all of my .dat files was showing up as nero express files (or to be opened with Nero Express) I don't know how that happened. But anyways, I have to reinstall that because my kid (22 years old) loves to copy cds from his buddies.

I will be reporting back to you on how all that goes.... You are a great person to help people like me... I know it must get frustrating..when we dont read the whole post..LOL.

Title: new post ..because other so long
Post by: guestolo on January 08, 2005, 03:30:32 AM

You may want to look into a Software firewall
I have Sygates installed on my Win98 SE machine

Small description of a Firewall
http://smb.sygate.com/products/spf_standard.htm (http://\"http://smb.sygate.com/products/spf_standard.htm\")

It's a very good firewall
Take a look

Can't remember what tools I suggested you try anymore  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

But, you may also want to do a Disk Defrag if you haven't done one in awhile
This could take a bit of time if not run regularly
Once a month anyways
I like to put my power options to Always ON
And set the screen Saver to NONE

Restart in safe mode
Go to Start>>Programs>>Accessories>>System Tools
Run a Scandisk first>>Automatically fix errors

Then go back to System Tools and run the Disk Defragmenter utility

And remember to check for updates a couple times a week with AVG

Stay safe Meelox


 /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Title: new post ..because other so long
Post by: meelox on January 08, 2005, 03:41:29 AM

I downloaded and installed the firewall and I got spyblaster a few days ago.
I am going to restart computer just make sure everything is fine and then this grandma has to go to bed.  If the restart looks good I won't bother you anymore tonight. BUT if i have problems. I will be running back to you. Thanks for everything you have done!