Post by: Zaiden Strike on April 11, 2005, 11:51:25 AM
Logfile of HijackThis v1.99.1
Scan saved at 9:03:22 PM, on 4/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\LRLPIA.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\ZHRH.EXE
C:\WINDOWS\SYSTEM\WGN5Y.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0B\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0B\SHELLMON.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0B\AOLWBSPD.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.16.201/sb/index.html (http://\"http://66.40.16.201/sb/index.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp (http://\"http://aimhome.netscape.com/aimhome.adp\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch (http://\"http://www.exactsearch.net/sidesearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\PROGRAM FILES\NAVEXCEL SEARCH TOOLBAR\NAVEXCELBAR.DLL (file missing)
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [33Q65GT4J3F3NZ] C:\WINDOWS\SYSTEM\Wszv.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\TEMP\MINIBUG.EXE 1
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\lrlpia.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Startup: cdck.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab (http://\"http://chat.yahoo.com/cab/yuplapp.cab\")
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab (http://\"http://surechat.com:9000/Java/cfs31229.cab\")
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab (http://\"http://download.overpro.com/WildApp.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
Post by: guestolo on April 11, 2005, 03:45:05 PM
Make sure you have a floppy disk to transfer this file from one computer to the other
Download and save to floppy
LSPfix.zip from this link
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
Transfer to the computer and put in on the desktop of the computer with no Internet connection
UNZIP the contents to desktop, don't run it within the zip file
If you don't have an unzipping utility on the machine with no Internet connection
Ensure you unzip this ahead of time
On the infected machine
Open LSPFIX
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down a bit to see it, Finish is NOT the X button at the top
RESTART your computer
See if that gets you back online
If it does, or doesn't
Access your add/remove programs and uninstall if found
KeenValue
PowerSearch toolbar for IE
SearchUpgrader
The above may require internet connection if found to uninstall properly
Restart your computer afterwards
Back in windows, go back to Add/Remove programs and remove if found
BullsEye Network
NaviSearch
CashBack
VirtualBouncer
Don't restart until all are removed,
Restart your computer again after removal
If your back online, Download and Install PeperFix.exe (http://\"http://downloads.subratam.org/PeperFix.exe\")
You may want to download this also if you have the chance and transfer it to the desktop of the computer offline
Save it too the desktop
Restart your computer into Safe mode
You can do this by tapping the F8 key as the system is restarting, after the single post beep
Find and delete these files or folders if found
c:\windows\system\aklsp.dll <-file
C:\WINDOWS\lrlpia.exe <-file
C:\WINDOWS\SYSTEM\WINUP2DATE.DLL <-file
C:\Windows\Start Menu\Programs\Startup\cdck.exe <-file
C:\WINDOWS\isrvs <-folder
C:\WINDOWS\SYSTEM\PICSVR <-folder
C:\PROGRAM FILES\VBOUNCER <-folder
C:\WINDOWS\SYSTEM\nsvsvc <-folder
C:\Program Files\Common files\SearchUpgrader <-folder
C:\Program Files\BullsEye Network <-folder
C:\Program Files\NaviSearch <-folder
C:\Program Files\CashBack <-folder
Navigate to your temp folders and delete the Whole contents, including subfolders, but don't delete the temp directories themselves, some files may not delete, this is normal
C:\Windows \Temp <--delete the contents
C:\Windows\Temporary Internet Files <-delete the contents
Do another scan with Hijackthis and put a check next to these entries:
Not all may exist anymore
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.16.201/sb/index.html (http://\"http://66.40.16.201/sb/index.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch (http://\"http://www.exactsearch.net/sidesearch\")
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\PROGRAM FILES\NAVEXCEL SEARCH TOOLBAR\NAVEXCELBAR.DLL (file missing)
O4 - HKLM\..\Run: [33Q65GT4J3F3NZ] C:\WINDOWS\SYSTEM\Wszv.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\WINDOWS\TEMP\MINIBUG.EXE 1
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\lrlpia.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - Startup: cdck.exe
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab (http://\"http://download.overpro.com/WildApp.cab\")
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx (http://\"http://static.topconverting.com/activex/loader2.ocx\")
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Peperfix.exe and click the Find and Fix
Let it finish scanning for files
Follow the prompts
Restart back to Normal mode
IF, at this time, you have Internet connection
Do the following
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
NEXT:
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
After installation--Click the Update button on the left and then
SEARCH FOR UPDATES
Check and download all updates
After>>Click the Search and Destroy button on the left
Check for Problems---FIX everything in RED
By selected Fix Selected problems
Should be checked by default
Restart your computer again to finish the cleaning process
Post back with a fresh Hijackthis log afterwards
Do what you can from the above, all if possible
before posting back a fresh Hijackthis log
If your still not online, Open LSPFix on the infected machine and let me know what you see in the KEEP side>>Also let me know what you see on the REMOVE side
Don't remove all files on the keep side, just the ones I advise
Post by: Zaiden Strike on April 14, 2005, 08:41:33 PM
Post by: guestolo on April 14, 2005, 08:47:41 PM
If it's because you can't download Peperfix
I can upload it for you, let me know
Also let me know if you can download Ad-Aware and Spybot
You can do that now and update them, don't run the scan's yet until you need too
If you can't download them I'll try alternate links
I missed one entry too remove in Add/Remove programs
If you see an entry for Delphin MediaViewer remove it too
Post by: Zaiden Strike on April 19, 2005, 02:00:21 PM
Also my Add/Remove tool won't open due to rundll32.exe(or one of it's components), says the computer.
Post by: guestolo on April 19, 2005, 11:42:16 PM
Rundll32_98.zip
[attachment=156:attachment]
Unzip the contents to your
C:\Windows\System Folder
Allow to overwrite if prompted
Try you Add/Remove programs again after that
I need you to do as much of the fixes I posted earlier before posting back
Look over what I asked you to do earlier, when you can't accomplish something, move onto the next step
Let me know later what you couldn't accomplish
When posting back Always include a fresh hijackthis log
Post by: Zaiden Strike on May 07, 2005, 03:07:04 PM
Logfile of HijackThis v1.99.1
Scan saved at 3:13:39 PM, on 5/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\LRLPIA.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RUNDLL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C4F9F774-BF08-11D9-9783-89D91E130923} - C:\WINDOWS\SYSTEM\BGFJM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\lrlpia.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: cdck.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {629968E0-AE09-11D9-9783-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {629968E0-AE09-11D9-9783-444553540000} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {80BFA2D3-BDA0-11D9-9783-E9A02C554794} - C:\WINDOWS\SYSTEM\BGFJM.DLL
O18 - Filter: text/plain - {80BFA2D3-BDA0-11D9-9783-E9A02C554794} - C:\WINDOWS\SYSTEM\BGFJM.DLL
Post by: guestolo on May 07, 2005, 04:33:42 PM
Let's try the following, can you access Add/Remove programs now???
Access your Add/Remove programs and remove if found
Delphin Media Viewer
Security iGuard
Restart your computer if anything uninstalled
Back in Windows
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
We'll need this later
==Download and save to Desktop
SpSeHjfix109.zip (http://\"http://www.derbilk.de/404.html\")
From that link
Unzip the contents, so you now have SpSeHjfix109.exe on your desktop
==Download from my signature below CWShredder.exe and save it to your desktop
We'll need this later
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Close all browser windows, including this one
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C4F9F774-BF08-11D9-9783-89D91E130923} - C:\WINDOWS\SYSTEM\BGFJM.DLL
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\lrlpia.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: cdck.exe
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Microsoft AntiSpyware helper - {629968E0-AE09-11D9-9783-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {629968E0-AE09-11D9-9783-444553540000} - (no file) (HKCU)
O18 - Filter: text/html - {80BFA2D3-BDA0-11D9-9783-E9A02C554794} - C:\WINDOWS\SYSTEM\BGFJM.DLL
O18 - Filter: text/plain - {80BFA2D3-BDA0-11D9-9783-E9A02C554794} - C:\WINDOWS\SYSTEM\BGFJM.DLL
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer into Safe Mode
You can do this by tapping the F8 key as the system is restarting, right after the single post beep
Select safe mode
Find and delete these files or folders if found
C:\WINDOWS\lrlpia.exe <-file
C:\WINDOWS\SYSTEM\WLDR.DLL <-file
C:\WP.EXE <-file
C:\WP.Bmp <-file
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\cdck.exe <-this file
C:\PROGRAM FILES\SECURITY IGUARD <-folder
C:\WINDOWS\SYSTEM\PICSVR <-folder
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off or Restart the computer
Instead
==Run SpSeHjfix109.exe by clicking the Start Disinfection
It should reboot your computer
If not Reboot anyways back to Normal mode
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again
Run
SpSeHjfix109.exe again
Next: Run CWShredder.exe and click the FIX button
Restart the computer again after it's done
Back in Windows
Download FindQoologic-Narrator.zip and save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981 (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981\")
UNZIP the files inside into their own folder called FindQoologic.
=Open the FindQoologic folder.
=Find and double-click the Activesetup.vbs file to run it.
Please wait until a "Finished" message appears.
=When the set-up is complete a file named "Activesetup components[Machine ID][date].txt" will have been saved in the FindQoologic folder.
=Find and double-click the Find-Qoologic.bat to run it.
The tool will open a DOS window and begin to check your system.
When it is finished a text file will open in Notepad called "file.txt".
Save this text file in the FindQoologic folder.
=Find the Activesetup components[Machine ID][date].txt file and the file.txt file you saved.
Copy and paste the contents of both logs into your next post.
Could you also post a fresh Hijackthis log and the logs from
SpSeHjfix109.exe
Again, I remind you, do what you can from the above
Let me know what you couldn't accomplish after you are done
I'm not a mind reader
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Zaiden Strike on May 09, 2005, 04:09:31 PM
Also there was a window I was unable to close during the part where I ticked off the items in HJT. It's some spam Ad that repeats itself everytime I try to close it. Don't know if that really matters, just thought I'd mention it.
Here's the Activecomponents .txt file.
"Find activesetup", version1, launched at: 15:17
Operating System: Windows 98
HKLM\Software\Microsoft\Active Setup\Installed Components\
"{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default)" = "Microsoft Outlook Express 5"
\StubPath = ""C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall" [MS]
This is the file.txt file.
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
* qoologic C:\WINDOWS\VAVOM.DLL
* qoologic C:\WINDOWS\INSTAL~1.EXE
* qoologic C:\WINDOWS\UNADBEH.EXE
* urllogic C:\WINDOWS\VAVOM.DLL
* ad-beh C:\WINDOWS\BPBISET.DLL
* ad-beh C:\WINDOWS\QNQKD.DLL
* ad-beh C:\WINDOWS\INSTAL~1.EXE
* ad-beh C:\WINDOWS\UNADBEH.EXE
* ad-beh C:\WINDOWS\QCQNDXB.EXE
* ad-beh C:\WINDOWS\system\WINUP2~1.DLL
* ad-beh C:\WINDOWS\system\WMCONFIG.CPL
* ad-beh C:\WINDOWS\system\WMCONFIG.CPL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
problem locating dir
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 15:18
Operating System: Windows 98
HKLM\Software\Microsoft\Active Setup\Installed Components\
"{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default)" = "Microsoft Outlook Express 5"
\StubPath = ""C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall" [MS]
And here's the fresh HJT log. Also maybe you could help me to post the SpSeHjfix109.exe logs. I can't open them because rundll32.exe cannot be found is what my comp says.
Logfile of HijackThis v1.99.1
Scan saved at 4:21:12 PM, on 5/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\WINDOWS\APPLICATION DATA\ECIE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\ARES LITE EDITION\ARES.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 09, 2005, 05:46:49 PM
UNZIP it to a folder of your choice
Please save these instructions too a Notepad file on your desktop and then Disconnect from the Internet>>Close all browser windows, including this one
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
O15 - Trusted IP range: 206.161.125.149
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\VAVOM.DLL
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Continue to copy and paste the next paths to the files below into killbox
Selecting Delete on Reboot afterwards
C:\WINDOWS\UNADBEH.EXE
C:\WINDOWS\BPBISET.DLL
C:\WINDOWS\QNQKD.DLL
C:\WINDOWS\INSTAL~1.EXE
C:\WINDOWS\QCQNDXB.EXE
C:\WINDOWS\system\WINUP2~1.DLL
C:\WINDOWS\system\WMCONFIG.CPL
C:\WINDOWS\Application Data\ecie.exe
When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Back in Windows
Go to this site
I asked you to Unzip Rundll32.exe to the wrong directory, sorry about that
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> Can you redownload Rundll32.exe from this link
CLICK HERE (http://\"http://www.spywareinfo.com/~merijn/files/windows/rundll32_98.zip\")
SAVE it and UNZIP it to your
C:\Windows folder
Let me know if add/Remove programs works then
Also post a fresh Hijackthis log
The log from SpSeHjfix109
Could you also run Find-Qoologic.bat again and post the log it produces
Post by: Zaiden Strike on May 10, 2005, 03:37:57 PM
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
* qoologic C:\WINDOWS\VAVOM.DLL
* qoologic C:\WINDOWS\INSTAL~1.EXE
* qoologic C:\WINDOWS\UNADBEH.EXE
* urllogic C:\WINDOWS\VAVOM.DLL
* ad-beh C:\WINDOWS\BPBISET.DLL
* ad-beh C:\WINDOWS\QNQKD.DLL
* ad-beh C:\WINDOWS\INSTAL~1.EXE
* ad-beh C:\WINDOWS\UNADBEH.EXE
* ad-beh C:\WINDOWS\QCQNDXB.EXE
* ad-beh C:\WINDOWS\system\WINUP2~1.DLL
* ad-beh C:\WINDOWS\system\WMCONFIG.CPL
* ad-beh C:\WINDOWS\system\WMCONFIG.CPL
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
problem locating dir
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 14:27
Operating System: Windows 98
HKLM\Software\Microsoft\Active Setup\Installed Components\
"{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default)" = "Microsoft Outlook Express 5"
\StubPath = ""C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall" [MS]
SpSeHjfix.exe saved to My Documents-
(5/9/05 2:09:06 PM) SPSeHjFix started v1.09
(5/9/05 2:09:06 PM) OS: Win98SE A (4.10.67766446)
(5/9/05 2:09:06 PM) Language: english
(5/9/05 2:09:11 PM) Disinfect started
(5/9/05 2:09:11 PM) Bad-Dll(IEP): se.dll
(5/9/05 2:09:11 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\BGFJM.DLL
(5/9/05 2:09:11 PM) Searchassistant Uninstaller - Keys Deleted
(5/9/05 2:09:11 PM) UBF: 6
(5/9/05 2:09:11 PM) UBB: 0
(5/9/05 2:09:11 PM) FilterKey: HKCR\text/html (deleted)
(5/9/05 2:09:11 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/9/05 2:09:11 PM) FilterKey: HKCR\CLSID\{075561CA-C090-11D9-9783-BBE4C76007EE} (deleted)
(5/9/05 2:09:11 PM) FilterKey: HKCR\text/plain (deleted)
(5/9/05 2:09:11 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/9/05 2:09:11 PM) FilterKey: HKCR\CLSID\{075561CA-C090-11D9-9783-BBE4C76007EE} (error while deleting)
(5/9/05 2:09:11 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29761890-C08C-11D9-9783-BBE45A7B6978} (deleted)
(5/9/05 2:09:11 PM) BHO-Key: HKCR\CLSID\{29761890-C08C-11D9-9783-BBE45A7B6978} (deleted)
(5/9/05 2:09:11 PM) UBR: 10
(5/9/05 2:09:11 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5/9/05 2:09:11 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/9/05 2:09:11 PM) Stealth-String found: C:\WINDOWS\READM_X2.HTZ
(5/9/05 2:09:11 PM) File added to delete: c:\windows\system\bgfjm.dll
(5/9/05 2:09:11 PM) File added to delete: c:\windows\system\bgfjm.dll
(5/9/05 2:09:11 PM) File added to delete: c:\windows\temp\se.dll
(5/9/05 2:09:11 PM) File added to delete: c:\windows\readm_x2.htz
(5/9/05 2:09:12 PM) Reboot
SpSeHjfix.exe 2nd run-
(5/9/05 2:18:33 PM) SPSeHjFix 2nd Step
(5/9/05 2:18:33 PM) RunServicesOnce-Key: (edited)
(5/9/05 2:18:38 PM) Cleaned
Fresh HJT log-
Logfile of HijackThis v1.99.1
Scan saved at 3:51:46 PM, on 5/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 10, 2005, 06:50:14 PM
Let's try this again
==Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\") and save it to desktop
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As, save it to desktop
we'll need this later
Please save these instructions too a Notepad file on your desktop and then Disconnect from the Internet>>Close all browser windows, including this one
Open Hijackthis>>Open Misc tools Section>>Open Process Manager
Kill this process if running
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O15 - Trusted IP range: 206.161.125.149
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\VAVOM.DLL
Then click the Delete File button
The Red circle and a white X
Do the same for the next ones below
For any file that won't delete, keep track of them, we'll need them in a bit
C:\WINDOWS\UNADBEH.EXE
C:\WINDOWS\BPBISET.DLL
C:\WINDOWS\QNQKD.DLL
C:\WINDOWS\INSTAL~1.EXE
C:\WINDOWS\QCQNDXB.EXE
C:\WINDOWS\system\WINUP2~1.DLL
C:\WINDOWS\system\WMCONFIG.CPL
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
For any file that wouldn't delete, this time copy and paste that entry back to killbox
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
IF prompted to Reboot Now, Click NO
When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Back in Windows, find and delete these folders if found
C:\WINDOWS\SYSTEM\nsvsvc <-folder
C:\WINDOWS\SYSTEM\PICSVR <-folder
Post back a fresh Hijackthis log
Was that and old log from Find-Qoologic.bat???
I need you to run a fresh scan with Find-Qoologic.bat
Wait for the log and post it back here
Post by: Zaiden Strike on May 10, 2005, 09:16:37 PM
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»
Global Startup:
problem locating dir
User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp
»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 20:28
Operating System: Windows 98
HKLM\Software\Microsoft\Active Setup\Installed Components\
"{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default)" = "Microsoft Outlook Express 5"
\StubPath = ""C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall" [MS]
And here's a fresh HJT log-
Logfile of HijackThis v1.99.1
Scan saved at 9:29:52 PM, on 5/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 11, 2005, 10:26:41 PM
Have your Windows 98 cd ready
Go to START>>RUN>>type in sfc
Hit ENTER
Do a Standard file check and Fix Automatically
Let me know if you are prompted to replace Rundll.exe and/or other files
If so, replace from the CD if you can
Post back a fresh Hijackthis log afterwards
Post by: Zaiden Strike on May 12, 2005, 04:40:51 PM
Post by: guestolo on May 12, 2005, 07:13:51 PM
System File Checker
Without the CD
Let me know what files are corrupt or missing
Post by: Zaiden Strike on May 13, 2005, 03:39:05 AM
netos.dll
javaee.dll
setupx.dll
Fresh HJT log-
Logfile of HijackThis v1.99.1
Scan saved at 3:24:51 AM, on 5/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 (http://\"http://www.websearch.com/ie.aspx?tb_id=50032\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 (http://\"http://www.websearch.com/ie.aspx?tb_id=50032\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
Post by: guestolo on May 13, 2005, 05:37:51 PM
Can you do the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] Double click on fix.reg and let it merge to the registry
Restart your computer
Back in Windows, I want to check on something
Open Hijackthis>>Open Misc Tools Section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list and copy and paste it back here
Post by: Zaiden Strike on May 15, 2005, 11:16:07 AM
Ad-Aware SE Personal
AdDestroyer
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
Ares 1.8.1
a-squared Personal 1.6
Battle.net
CleanUp!
Diablo
Display Utility
Dope Wars 2.2 for Windows
HighGrow Freeware Version 4.20
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 1
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Microsoft Internet Explorer 6 SP1 and Internet Tools
Might and Magic® VII
MSN Messenger 7.0
MusicMatch Jukebox
My Search Bar
Palace Uninstall
PCI Audio Applications
PROPAD 6 (MorayPad)
QUAKE
QuickTime
RealPlayer Basic
Search Assistant - My Search
SiS Multimedia V1.02.02
Sonique
Spybot - Search & Destroy 1.3
Starcraft
System Sentry for Windows 9x and ME
TopText iLookup
Viewpoint Media Player
Web Offer
WebSearch Toolbar
Winamp (remove only)
Windows Media Player system update (9 Series)
Win-Tools Easy Installer (by WebSearch)
WinZip
Yahoo! Install Manager
Yahoo! Messenger
YOU DON'T KNOW JACK V1.0
YOU DON'T KNOW JACK Volume 2
Logfile of HijackThis v1.99.1
Scan saved at 11:15:09 AM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\WINDOWS\APPLICATION DATA\ECIE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032 (http://\"http://www.websearch.com/ie.aspx?tb_id=50032\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 (http://\"http://www.websearch.com/ie.aspx?tb_id=50032\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 (http://\"http://www.websearch.com/ie.aspx?tb_id=50032\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
Post by: guestolo on May 15, 2005, 12:07:57 PM
AdDestroyer
Ad Behavior
My Search Bar
Search Assistant - My Search
TopText iLookup
Viewpoint Media Player
Web Offer
WebSearch Toolbar
Win-Tools Easy Installer (by WebSearch)
Don't reboot until all are removed
Come back here and post a fresh Hijackthis log afterwards
Do you know what this entry is related too in your add/remove programs
Palace Uninstall
Whatever you can't remove in Normal mode, try booting into safe mode and uninstall them
Post by: Zaiden Strike on May 15, 2005, 01:01:58 PM
Also, AdDestroyer I don't think will uninstall. It opens up a window searching for a log but it can't find the log anymore, it found it the first time but I'm guessing it took the log with whatever part of it was gotten rid of. With Web Offer, nothing happens after I push the Add/Remove button. Search Assistant - My Search has an error when I push the button saying it can't find C:\PROGRA~1\MYWAY\SRCHASTT\1.BIN\mysrchas.dll
Logfile of HijackThis v1.99.1
Scan saved at 1:00:59 PM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\WINDOWS\APPLICATION DATA\ECIE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 15, 2005, 01:45:41 PM
Next:
Print this out or save too a notepad file
Restart into safe mode
Find and delete these files or folders if found
C:\WINDOWS\Application Data\ecie.exe <-file
C:\PROGRAM FILES\AdDestroyer <-folder
C:\PROGRAM FILES\Web Offer
C:\PROGRAM FILES\eZula
C:\PROGRAM FILES\Toolbar
C:\PROGRAM FILES\VBouncer
C:\PROGRAM FILES\MYWAY
C:\PROGRAM FILES\COMMON FILES\WINTOOLS
Stay in safe mode
Run Windows CleanUp! again but don't restart the computer when it's done
Instead
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner.exe /S
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart back to Safe mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab--- Reset home page
Run another scan with Hijackthis and post back a fresh log
Post by: Guest on May 15, 2005, 03:42:36 PM
Logfile of HijackThis v1.99.1
Scan saved at 3:38:33 PM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 15, 2005, 03:53:45 PM
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck the Hide Extensions for known file types
* Click OK.
Post by: Guest on May 15, 2005, 04:23:06 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:21:39 PM, on 5/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 15, 2005, 04:40:45 PM
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
Check for updates every couple of weeks
SpywareBlaster, after every update just simply enable all protection
Could you next do the following
I don't see any Anti-Virus software on your
If you have your own install it or enable it now and run a full system scan
If you don't have your own
I recommend that you install the free version of AVG 7
from this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down too
AVG Free Edition installation files
File Version
avg70free_308a468.exe <-this link
Save the installer to desktop
Install the program, restart the computer if prompted
Afterwards, ensure it's fully updated
Run a full system scan and let it fix whatever it finds
Restart the computer afterwards
Again, Check for updates with Ad-Aware and Spybot
Run scans with both, fixing whatever Criticals or ones in RED it finds
Restarting the computer in between
Come back here and post one last hijackthis log afterwards
Let me know how things are running
Also
Could you again Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Save list and post it back here again
Post by: Zaiden Strike on May 19, 2005, 07:19:41 PM
Ad-Aware SE Personal
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
Ares 1.8.1
a-squared Personal 1.6
Battle.net
CleanUp!
Diablo
Display Utility
Dope Wars 2.2 for Windows
HighGrow Freeware Version 4.20
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 1
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Microsoft Internet Explorer 6 SP1 and Internet Tools
Might and Magic® VII
MSN Messenger 7.0
MusicMatch Jukebox
My Search Bar
Palace Uninstall
PCI Audio Applications
PROPAD 6 (MorayPad)
QUAKE
QuickTime
RealPlayer Basic
Search Assistant - My Search
SiS Multimedia V1.02.02
Sonique
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
Starcraft
System Sentry for Windows 9x and ME
Virtual Bouncer
Web Offer
Winamp (remove only)
Windows Media Player system update (9 Series)
WinZip
Yahoo! Install Manager
Yahoo! Messenger
YOU DON'T KNOW JACK V1.0
YOU DON'T KNOW JACK Volume 2
Logfile of HijackThis v1.99.1
Scan saved at 7:09:21 PM, on 5/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEHUR32.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
Post by: guestolo on May 19, 2005, 11:50:36 PM
Restart into safe mode
IF you can
Access your Add/Remove programs and unstall
My Search Bar
Search Assistant - My Search
Virtual Bouncer
Web Offer
In safe mode
First run a scan with Spybot and clean all in RED
Restart the computer
Allow to restart back to SAFE MODE
Run a Full system scan with Ad-Aware
Fix all Critical objects
Restart your computer back to Normal mode
Yes, that would be the most up to date link for AVG, please download and install it and ensure it's updated and run a full system scan
308a468 may change, but take a look
EDIT>>At this time as I looked at the download link, it's at
322a531.exe
Restart your computer when it's done
Back in Windows
Post a fresh Hijackthis log
Post by: Zaiden Strike on May 21, 2005, 08:01:06 PM
Search Assistant displays error window after clicking add/remove. Error - C:\PROGRA~1\MYWAY\SRCHASTT\1.BIN\mysrchas.dll
Virtual Bouncer is not listed on add/remove list.
WebOffer still does nothing after clicking add/remove.
Spybot found no problems, and AdAwareSE is toast. It won't even open anymore. It gets to "Loading Definitions" stage and locks up. Says [Not Responding] after I Ctrl+Alt+Delete.
AVG fixed 53 out of 56 problems too.
Logfile of HijackThis v1.99.1
Scan saved at 8:00:37 PM, on 5/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\WINDOWS\APPLICATION DATA\ECIE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 23, 2005, 05:40:15 AM
Sorry for the delay
Can you go too this link for Ad-Aware
http://www.lavasoftusa.com/support/download/ (http://\"http://www.lavasoftusa.com/support/download/\")
Download the latest definition file manually and Unzip it too your
C:\Program Files\Lavasoft\Ad-Aware SE Personal folder
Do the following
A couple entries in add/remove programs appear to be leftovers
Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Left click to highlight and then use Delete this Entry button
On the following
My Search Bar
Search Assistant - My Search
Web Offer
Do another scan with Hijackthis and fix checked the following
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\Run: [Aawr] C:\WINDOWS\Application Data\ecie.exe
Restart into safe mode after fixing the above
Look again in your Add/Remove programs via Control Panel and remove if found
Virtual Bouncer
Find and delete this file
C:\WINDOWS\Application Data\ecie.exe <-file
And these folders
C:\WINDOWS\SYSTEM\nsvsvc
C:\PROGRAM FILES\VBOUNCER
Try a scan again in Safe mode with Ad-Aware
Restart back to Normal mode and post a fresh Hijackthis log
Post by: Zaiden Strike on May 23, 2005, 04:35:19 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:31:31 PM, on 5/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: guestolo on May 23, 2005, 04:49:30 PM
System Sentry for Windows 9x and ME
I'm not too familiar with it
Did it actually replace or repair any system files after you installed it?
Can you run System File Checker again
Let me know what files are corrupt or missing
Go to Start>>Run>>type in sfc
Hit OK
Post by: Zaiden Strike on May 25, 2005, 11:45:44 AM
sfc found these as possibly corrupt:
netos.dll
javaee.dll
setupx.dll
Logfile of HijackThis v1.99.1
Scan saved at 11:40:26 AM, on 5/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\PROGRAM FILES\ARES LITE EDITION\ARES.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Sentry] C:\PROGRA~1\EASYDE~1\SYSTEM~1\Protect.exe protect
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk.disabled
O4 - Startup: America Online 9.0 Tray Icon.lnk.disabled
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE (file missing)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.Email Removed
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net