Post by: Omarr on March 02, 2005, 12:06:44 AM
im desperate... i tried everyhting... spybot, adaware and some other adware removers... also norton and antivir, none work at all..
this is the hijack log.
hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 04:06:06 p.m., on 01/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\AUDIOCNTL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RUNDII32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\TIMER\NTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZENG09.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\MIS DOCUMENTOS\HIJACKTHIS\HIJACKTHIS.EXE
C:\ARCHIVOS DE PROGRAMA\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi....yahoo.com (http://\"http://red.clientapps.yahoo.com/customi....yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.altazorcafe.com/oldtownaccess.htm (http://\"http://www.altazorcafe.com/oldtownaccess.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=c:\windows\system\audiocntl.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {C58E8641-8791-11D9-A186-0011621DF794} - C:\WINDOWS\SYSTEM\HPHK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [RundII32] C:\WINDOWS\system\RundII32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Audiocntl] c:\windows\system\audiocntl.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Library Timer 2.0.LNK = C:\Archivos de programa\Timer\ntimer.exe
O4 - Startup: Iniciar el explorador Internet Explorer.lnk = C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll (http://\"http://smartdownloader.com/installer.dll\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email (http://\"http://by21fd.bay21.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...b31267.cab (http://\"http://messenger.zone.msn.com/binary/Me...b31267.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme...loader.cab (http://\"http://messenger.msn.com/download/msnme...loader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...b31267.cab (http://\"http://messenger.zone.msn.com/binary/Me...b31267.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt3_x.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O18 - Filter: text/html - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL
O18 - Filter: text/plain - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL
thanks in advance.
Post by: guestolo on March 02, 2005, 12:39:07 AM
Close down all browser windows
Open Hijackthis>>Open Misc tools>>Open process Manager and kill these processes
if running
C:\WINDOWS\SYSTEM\RUNDII32.EXE
C:\WINDOWS\SYSTEM\AUDIOCNTL.EXE
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi....yahoo.com (http://\"http://red.clientapps.yahoo.com/customi....yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=c:\windows\system\audiocntl.exe
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {C58E8641-8791-11D9-A186-0011621DF794} - C:\WINDOWS\SYSTEM\HPHK.DLL
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [RundII32] C:\WINDOWS\system\RundII32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Audiocntl] c:\windows\system\audiocntl.exe
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll (http://\"http://smartdownloader.com/installer.dll\")
O18 - Filter: text/html - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL
O18 - Filter: text/plain - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART your computer into Safe mode
You can do this by tapping the F8 key as the system is booting up
Find and delete these files if found
C:\WINDOWS\ZSERV.DLL <--file
C:\WINDOWS\FARMMEXT.exe <--file
C:\WINDOWS\system\RundII32.exe <--take note of the spelling and directory, don't touch rundll32.exe in the Windows folder
c:\windows\system\audiocntl.exe <--file
C:\WINDOWS\SYSTEM\HPHK.DLL <--file
C:\WINDOWS\TEMP\SE.DLL <--file, Let me know if you can find this one
Then go ahead and delete the Whole contents of the Temp folder
Restart back into Normal mode
Post back a fresh Hijackthis log
Could you also
Download STARTDRECK (http://\"http://members.blackbox.net/hp_links/21/nikolaus.rameis/_data/startdreck.zip\")
Unzip it to it's own folder
run StartDreck.exe:
Hit: -config
Hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post the log
Post by: Guest on March 02, 2005, 01:32:06 AM
here is the log.....
the file C:\WINDOWS\TEMP\SE.DLL is not on my computer ..... is supost to be there???
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 22:51:25 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Windows 98 at II
»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Hidserv=Hidserv.exe run
*Videocntl=c:\windows\system\videocntl.exe
»RunServicesOnce
**iow=rundll32 C:\WINDOWS\RAYAEO.BMP,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
»Files
»System/Drivers
»Running Processes
+FFEFB4AD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF771=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFFF69=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFEA19=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB099=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEBE71=C:\WINDOWS\RUNDLL32.EXE
+FFFE8CBD=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE6601=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFEC9DD=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFD10BD=C:\WINDOWS\SYSTEM\VIDEOCNTL.EXE
+FFFED755=C:\WINDOWS\EXPLORER.EXE
+FFFC25CD=C:\WINDOWS\TASKMON.EXE
+FFFC1C79=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC6091=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC51F9=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFC9231=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFCB2B1=C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
+FFE35955=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE3673D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFD5865=C:\WINDOWS\NOTEPAD.EXE
+FFE23709=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE130D5=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFE2AC11=C:\MIS DOCUMENTOS\STARTDRECK\STARTDRECK.EXE
»Application specific
ty i will restart to see if that thing is gone ...
Post by: guestolo on March 02, 2005, 01:40:51 AM
EDIT>>>
I'm afraid I'm off to bed for the evening, I won't be able to see your logs until tomorrow
Do what you can again from my first post I gave you, I still see some entries that should be gone
We still have to get rid of some hidden entries
se.dll may be one of them
If you can, try just to fix what I asked previously, if you can't find something just let me know about it
I will need you to supply me with a fresh hijackthis log
You may as well supply me with a fresh startdreck log also
Post by: omarr on March 02, 2005, 04:28:42 PM
Logfile of HijackThis v1.99.1
Scan saved at 01:57:49 p.m., on 02/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMX32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\TIMER\NTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\MIS DOCUMENTOS\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.altazorcafe.com/oldtownaccess.htm (http://\"http://www.altazorcafe.com/oldtownaccess.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=c:\windows\system\cmx32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Cmx32] c:\windows\system\cmx32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Library Timer 2.0.LNK = C:\Archivos de programa\Timer\ntimer.exe
O4 - Startup: Iniciar el explorador Internet Explorer.lnk = C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email (http://\"http://by21fd.bay21.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt3_x.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
StartDreck Log.
StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 14:01:21 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at II
»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Hidserv=Hidserv.exe run
*Cmx32=c:\windows\system\cmx32.exe
»RunServicesOnce
**qmmb=rundll32 C:\WINDOWS\RAYAEO.BMP,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
»Files
»System/Drivers
»Running Processes
+FFEFB7D9=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF405=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFF975=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFCFA1=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFC5F1=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEA009=C:\WINDOWS\RUNDLL32.EXE
+FFFE8B5D=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFEEA15=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFEE1A1=C:\WINDOWS\SYSTEM\CMX32.EXE
+FFFC716D=C:\WINDOWS\EXPLORER.EXE
+FFFDBA05=C:\WINDOWS\TASKMON.EXE
+FFFD8AFD=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC4EE9=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFCBA7D=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFCAA05=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFD7505=C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
+FFFD776D=C:\ARCHIVOS DE PROGRAMA\TIMER\NTIMER.EXE
+FFFDFA69=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE229F9=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFEE241=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE10635=C:\WINDOWS\NOTEPAD.EXE
+FFE10D11=C:\MIS DOCUMENTOS\STARTDRECK\STARTDRECK.EXE
+FFE14AC5=C:\ARCHIVOS DE PROGRAMA\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
»Application specific
the thing was removed .... but it came back with another name... i remove some things and is gone but im afraid that in next restar it will come back
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> Thanks in advance.
Post by: guestolo on March 02, 2005, 10:53:43 PM
RunServicesOnce
**qmmb=rundll32 C:\WINDOWS\RAYAEO.BMP,DllGetClassObject
First can you save this zipped file, Remove.zip, and ensure that you UNZIP it to your desktop, so now you will have Remove.reg on your desktop
Don't run it yet, but we'll need it soon
[attachment=50:attachment]
NEXT: Could you download and save to desktop the Standalone version of CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet, but download for now
Can I get you to Print the rest of this out please or write down the below instructions
I need you to Restart your computer into MS-Dos Mode
START>>Shutdown>>select Restart in MS-DOS mode
OK
At restart you should be at this prompt
C:\WINDOWS>
Type in the below excluding the (Enter), that indicates hitting Enter on your Keyboard>>>Take note of all the spaces too
attrib -r -s -h C:\WINDOWS\RAYAEO.BMP (Enter)
ren RAYAEO.BMP RAYAEO.OLD (Enter)
cd C:\WINDOWS\TEMP (Hit Enter)
Now you should see this
C:\WINDOWS\TEMP>
type
attrib -r -s -h C:\WINDOWS\TEMP\SE.DLL (Enter)
ren SE.DLL SE.OLD (Enter)
del *.* (Enter)
You should get a prompt to select (YorN)
Select Y on the keyboard and hit (Enter)
Type
cd C:\WINDOWS\SYSTEM (Enter)
You should see this now
C:\WINDOWS\SYSTEM>
Type
del cmx32.exe (Enter)
del HPHK.DLL (Enter)
Don't worry about any file not found message
Type
edit C:\WINDOWS\WIN.INI (Enter)
That should load a new blue screen where you should possibly see something like the below near the top
[WINDOWS]
Load=
Run=c:\windows\system\cmx32.exe
Use the arrow keys and the Delete or Backspace button on the keyboard to edit this line ONLY
Run=c:\windows\system\cmx32.exe
to look like this
Run=
Click the ALT button on the keyboard to change to FILE at the top and use the arrow key to dropdown and SAVE the change>>Hit (Enter)
Use CTRL+ALT+DEL to Restart your computer back to Normal mode
This should restart the computer back in Normal mode
If you want a rundown of what that should all look like with all the spaces, I've included below the same commands with = signs indicating where there should be a single space, you will not input the = sign, just the space
======================================================
attrib=-r=-s=-h=C:\WINDOWS\RAYAEO.BMP
ren=RAYAEO.BMP=RAYAEO.OLD
cd=C:\WINDOWS\TEMP
attrib=-r=-s=-h=C:\WINDOWS\TEMP\SE.DLL
ren=SE.DLL=SE.OLD
del=*.*
cd=C:\WINDOWS\SYSTEM
del=cmx32.exe
del=HPHK.DLL
edit=C:\WINDOWS\WIN.INI
======================================================
Immediately back in Normal mode, don't open a browser yet
Look for these files and delete them
C:\WINDOWS\RAYAEO.old <--file
Also ensure this one doesn't exist
C:\WINDOWS\TEMP\se.old <--file, may not exist as we emptied the files in the temp folder earlier
c:\windows\system\cmx32.exe <--may not exist
Do another scan with Hijackthis and put a check next to these entries that still remain
F1 - win.ini: run=c:\windows\system\cmx32.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Cmx32] c:\windows\system\cmx32.exe
After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on Remove.reg you Unzipped earlier to desktop and allow it to merge to the registry
Run CWShredder>>Click ONLY the FIX button, let it fix what it finds
RESTART your computer afterwards
Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Come back here and post a fresh hijackthis log and a fresh Startdreck log
Post by: Omarr on March 03, 2005, 01:13:46 AM
my hijack LOG.
Logfile of HijackThis v1.99.1
Scan saved at 10:44:33 p.m., on 02/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MIS DOCUMENTOS\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.altazorcafe.com/oldtownaccess.htm (http://\"http://www.altazorcafe.com/oldtownaccess.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E736894F-8B22-11D9-A186-001162E0C140} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email (http://\"http://by21fd.bay21.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab (http://\"http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tt3_x.cab\")
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab (http://\"http://www.errorguard.com/installation/Install.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab\")
O18 - Filter: text/html - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O18 - Filter: text/plain - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL
===================================
StartDreck LOG.
StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 22:45:10 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at II
»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
*Yahoo! Pager=C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
*Yahoo! Pager=C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Hidserv=Hidserv.exe run
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
*{E736894F-8B22-11D9-A186-001162E0C140}
`InprocServer32=C:\WINDOWS\SYSTEM\DKFLP.DLL
»Files
»System/Drivers
»Running Processes
+FFEFB043=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF39F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFFEEF=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFC83F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0CCF=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEADAF=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFEB703=C:\WINDOWS\EXPLORER.EXE
+FFFD43DF=C:\WINDOWS\TASKMON.EXE
+FFFD4C57=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD135F=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFD8BB7=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFDA5BF=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFDC21F=C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
+FFE39A37=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFE3F05F=C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
+FFFCC3FF=C:\WINDOWS\RUNDLL32.EXE
+FFE24153=C:\MIS DOCUMENTOS\STARTDRECK\STARTDRECK.EXE
»Application specific
Thanks for all your time....
Post by: guestolo on March 03, 2005, 01:32:30 AM
Try this
Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
Run Pocket KillBox>>Now you have Killbox and this notepad file open
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them
click on Tools --> Select Delete Temp Files. Click OK.
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold
C:\WINDOWS\SYSTEM\DKFLP.DLL
Select the radio button to
Delete on Reboot
Additionally, select the "Unregister .dll before deleting"
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Do the same for this file
C:\WINDOWS\TEMP\SE.DLL
But this time if prompted to Reboot select YES
If not prompted reboot anyways
Back in Windows
Keep all other windows closed
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E736894F-8B22-11D9-A186-001162E0C140} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O18 - Filter: text/plain - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART the computer again
Post back a fresh Hijackthis log and one more Startdreck log
Post by: Guest on March 03, 2005, 02:22:26 AM
i free of those bugs now
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />TY TY TY
im so glad that people like you helps us ( the newbies)
thanks !!
have a great time
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on March 03, 2005, 02:23:49 AM
Can you please post one last Hijackthis log and Startdreck log
It would be very useful, thanks