Author Topic: CWS.hiddendll (Read 10266 times)

deduemjo · « **on:** November 22, 2004, 02:47:27 PM »

My problem sounds exactly the same as that of Felix - below

Basically my IE Startpage was constantly changed to about:blank and had a Search engine site called Search Now. (isnt about:blank just supposed to be blank?). Also, other random sites were constantly beeing forwarded to this while I was browsing the internet.

I googled it and found out that I, like many, was infested with the CWS Spyware. I downloaded CWShredder and ran it. The program found CWS.HiddenDll and removed it along with 6 apparent registry entries. After doing this my IE was back to normal. After a while it came back though. I ran CWShredder again and it again found the above.

This keeps coming back and all I can do is rerun CWShredder every time, but its really annoying.

I've followed the forum with Guestolo - but Hijackthis does not appear to have the same rogue file. My log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 19:42:18, on 22/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\TEMP\TD_0013.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ngseomiqzb.us/QXE0FBhc7BD97G3U/...IbuNZuwy5N.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {47868855-3B52-4DB6-9DD7-CC0D0CB59B21} - C:\WINDOWS\SNNPAPI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [amen plan mp3 16] C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [send show] C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O18 - Filter: text/html - {5EC39ADF-04CA-4601-88B8-2C51E9DABFEF} - C:\WINDOWS\SNNPAPI.DLL
O18 - Filter: text/plain - {5EC39ADF-04CA-4601-88B8-2C51E9DABFEF} - C:\WINDOWS\SNNPAPI.DLL

Please can somebody help?

guestolo · « **Reply #1 on:** November 22, 2004, 07:36:42 PM »

Hi deduemjo

Could you please download a couple Tools for me

Download STARTDRECK

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Can you also Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button

Post this log too along with a fresh Hijackthis log, thanks

Could you also let me know if you paid for SpyKiller or Spyware Assassin
If you didn't you should get rid of them, I'll give you links to 2 free ones that are
reputable
Read this about the 2 you have
Rogue Spyware software

The above will help indicate what infection of About:blank you have
We will be able to try a different route with About:Buster if Startdreck or DllCompare come up negative

deduemjo · « **Reply #2 on:** November 23, 2004, 03:36:51 AM »

Thanks for this - will try after work - I did not buy the Spyware you mention (I will have downloaded them before I settled on Spybot).
Won't let me remove spykiller with Add/REmove Programs - says could not load initialisation file (haven't tried to remove other one yet)

deduemjo · « **Reply #3 on:** November 23, 2004, 07:22:11 AM »

Here is the log from STARTDRECK

StartDreck (build 2.1.7 public stable) - 2004-11-23 @ 12:25:25 (GMT +00:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at OEMCOMPUTER

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
*BestPopUpKiller=C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
*Spyware Assassin v.4.0="C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
*send show=C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpyKiller=C:\Program Files\SpyKiller\spykiller.exe /startup
*BestPopUpKiller=C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
*Spyware Assassin v.4.0="C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
*send show=C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*EnsoniqMixer=C:\WINDOWS\starter.exe
*CountrySelection=pctptt.exe
*PTSNOOP=ptsnoop.exe
*SystemTray=SysTray.Exe
*Internet Registration=c:\program files\internet explorer\connection wizard\netcheck.exe
*Gearbox="C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
*LoadQM=loadqm.exe
*PE2CKFNT SE=C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
*InstantAccess=C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
*RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
*Password Check=c:\windows\GrabCookie.exe
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*AtiCwd32=Aticwd32.exe
*AtiQiPcl=AtiQiPcl.exe
*amen plan mp3 16=C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
*C:\WINDOWS\IPCFG.EXE=C:\WINDOWS\IPCFG.EXE
*C:\WINDOWS\SCANDS32.EXE=C:\WINDOWS\SCANDS32.EXE
*Error Nuker 2004=C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*SAgent2ExePath=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
*RegisterDropHandler=C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{24D52758-A1FE-4A21-A2F0-A86CE31C0B40}
`InprocServer32=C:\WINDOWS\SNNPAPI.DLL
»Files
»System/Drivers
»Running Processes
+FF0FA045=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE5D9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE05D5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0F89=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB2D5=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEBE19=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE70F9=C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
+FFFD2FB5=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFECF41=C:\WINDOWS\EXPLORER.EXE
+FFFE424D=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFCFE01=C:\WINDOWS\TASKMON.EXE
+FFFB2519=C:\WINDOWS\STARTER.EXE
+FFFB14E1=C:\WINDOWS\ptsnoop.exe
+FFFB773D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFBB169=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFBFA39=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
+FFFBF541=C:\WINDOWS\LOADQM.EXE
+FFFB5CC9=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
+FFFA02AD=C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
+FFFA5319=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFAEF2D=C:\WINDOWS\IPCFG.EXE
+FFFAD81D=C:\WINDOWS\SCANDS32.EXE
+FFF93801=C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
+FFF961C5=C:\WINDOWS\RunDLL.exe
+FFF94849=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFF9A615=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
+FFF9E201=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
+FFF9D3C5=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
+FFF81791=C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
+FFF85A95=C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
+FFF8A969=C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
+FFF8EC4D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF8C23D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF7E5A1=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
+FFF8E5F5=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF6A59D=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF655E9=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF685E5=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF52499=C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
+FFF43DE1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF482B1=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF48A7D=C:\WINDOWS\RUNDLL32.EXE
+FFFCB579=C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\2PF8TSRM\STARTDRECK[1]\STARTDRECK.EXE
»Application specific

Hope this helps

deduemjo · « **Reply #4 on:** November 23, 2004, 07:41:29 AM »

The DLL Compare threw uo nothing in the bottom pane.

The new HIjackthis log is as follows

Logfile of HijackThis v1.98.2
Scan saved at 12:47:24, on 23/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\ERROR NUKER 2004\BIN\ERRORNUKER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qgvaqzprawkvgmtyc.com/QXE0FBhc7...IbuNZuwy5N.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SNNPAPI.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {24D52758-A1FE-4A21-A2F0-A86CE31C0B40} - C:\WINDOWS\SNNPAPI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [amen plan mp3 16] C:\WINDOWS\All Users\Application Data\GPL MEMO AMEN PLAN\closerule.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [Error Nuker 2004] C:\Program Files\Error Nuker 2004\bin\ErrorNuker.exe autostart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [send show] C:\WINDOWS\APPLIC~1\FASTBA~1\title bleh shim.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O18 - Filter: text/html - {EBE573C9-8819-4FCA-890F-9D2DF3A9897D} - C:\WINDOWS\SNNPAPI.DLL
O18 - Filter: text/plain - {EBE573C9-8819-4FCA-890F-9D2DF3A9897D} - C:\WINDOWS\SNNPAPI.DLL

guestolo · « **Reply #5 on:** November 23, 2004, 08:09:20 PM »

Let's see how much cleanup we can get done in your log the first time around
I also see that your not running any Anti-Virus software
If you need a Free solution, let me know, it's not safe being on the Net without it..
Don't install one yet, we'll try and get you clean first

I would uninstall Spyware Assasin and Restart your computer

Next:
Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesnt it will automatically tell you and exit
Don't run this yet, but ensure you update for now

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Allow to download updates
Don't run it yet, but check for Updates now

You may want to print the rest of this out:
This will allow you to follow along without connection to the Internet till we are done

Go to Add/Remove in your control panel then look for and uninstall if found, Window Search, Window Searching, Lop.com, LOP Search, Browser Enhancer, Ultimate Browser Enhancer . If you are given a code to insert, do so.

If those that are listed above are not installed then d/l the LOP uninstaller.

Download the LOP uninstaller from HERE . Close IE and run the uninstaller; click OK>it will then ask you to type in a number that it supplies, do so and click 'uninstall'>yes>OK>OK.

RESTART your computer into Safe Mode by tapping the F8 key on Windows Startup
If your unsure how to start in safe mode, read this link
How to start in Safe mode

Try uninstalling SpywareAssasin and/or Spykiller if you can

Open About:Buster
Now for the scanning part. Hit start and then Ok. The program should start scanning.
Let it complete the scanning, rescan again when prompted
Save the log on to the desktop

Stay in Safe Mode---Open Ad-Aware
Do a Full System Scan
After Scanning is complete,Remove all Criticals: right click in the Criticals and Select All

Open CWShredder and let it FIX all problems

RESTART your computer back into Normal Mode
Run About:Buster again, save this log too....

You should also do a Free Online Virus scan at either
Trend Micros---Set to Autoclean
http://housecall.trendmicro.com/
and/or Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm

Let either clean what it can and try and delete what it can't
Please ensure you tell me where any malware was found if you have trouble removing it

I just noticed that your running Hijackthis from your Temp. directory
Important
Create a Permanent folder for Hijackthis, backups will be stored there.
EG>>>
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT
Please redownload Hijackthis from
HERE or HERE

Post back a fresh hijackthis log after you are done the above, could you also post the About:Buster logs, thanks

deduemjo · « **Reply #6 on:** November 24, 2004, 03:09:29 AM »

Thanks for continued support.
Not much worked I'm afraid - here's details

1. I have Norton Anti Virus software - as far as I know I have to run it manually (when I updated and ran at weekend(in relation to current problem) it found a trojan virus - it is now clean)
2. There is no entry for Spyware Assassin in Add/Remove Program list (Spykiller is but it won't lat me remove it as described earlier) . I searched files for Spyware Assassin - found [email protected][2] and Cyber Tech Help Support- deleted both of these manually (?) and restarted computer
3. Downloading Aboutblaster didn't seem to work - got ' Run-time error 339' then 'Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid'
4. AD-Aware also won't work (tried this the other night and got same message)
'Ad-aware caused an error in<unknown>' something in German and then'Exception EReadError in Modul AD-AWARE.EXE bei00021FOB'
5. None of the things you mention in Add/Remove Programs are listed. Did you mean delete LOP installer? What is/where do I find this? Again did manual search and found various files - most obvious looking one being HSFLOP.PDR but didn't delete any.
6. Tried to do the virus scans- trend micro website seemed to hang before I got there (could be me - but other websites work OK). Panda one started but got an error when downloading 'Your security settings prohibit Active X controls on this page. As a result the page will not display correctly' and download failed.

I should perhaps also mention when I attempt to start up internet I get a 'configurations conflict error' which I need to fix before I go any further.

Interestingly I've just gone back into home page and About:blank is not there!!!!
Plenty problems anyway it seems.
Look forward to your response.

guestolo · « **Reply #7 on:** November 24, 2004, 08:35:26 AM »

Please download this file and save it to desktop
http://www.javacoolsoftware.net/downloads/...ngfilesetup.exe

Double click to run it
This should help cure the problem with
Component MsComCtl.ocx or one of its dependencies not correctly registered: a file is missing or invalid'

Just on my way out, don't get rid of Ad-Aware, I have a couple files that your probably missing
Look for riched20.dll & riched32.dll, both in c:\windows\system folder

Let me know the size of them if you find them
Right click on them properties
If you don't find them we will have to install them for you

Try the online virus scan at Rav's, we will have to adjust your Security settings if you can't install the ActiveX
I'll get into more detail later

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

deduemjo · « **Reply #8 on:** November 24, 2004, 01:35:13 PM »

Thanks for update.
latest is
1) downloaded file you suggested - so have now successfully updated aboutblaster.
2) Ad-Aware still won't work - same error
3) in c:windows/system found 2 files RICHED>DLL (235KB) and RICHED20.DLL (412KB) - but no RICHED32
4) Couldn't do on-line virus scan at Rav's due to an Active X error again (said security settings needed to be on medium - which it seems to be)

Am getting a Windows security Serice message regularly saying Windiws firewall is detecting strange(malicious) activity on network

Look forward to reply

Guest · « **Reply #9 on:** November 24, 2004, 09:27:01 PM »

Well, we're making some progress if you got About:Buster running

Please download that LOP uninstaller and run it from the instructions I gave you earlier, if you haven't done it already
Restart your computer afterwards

Let's see if we can get Ad-Aware running and get you to run that online Virus scan

Are time zones may be different: Sorry we can't get together on this at the same time
We should get you totally clean if you can handle the delay in responses

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Right now it's 6:33 pm PST here for me....
I'm not sure what the posted response time shows

Leave RICHED>DLL alone

Navigate to RICHED20.DLL
Right click on it and RENAME it to RICHED20.OLD
This is just to keep it as a backup

Next download the 2 files that may be causing your problem with Ad-Aware
Save both of these to your C:\Windows\System Folder

Riched20.dll
Riched32.dll

See if you can run Ad-Aware after you save the 2 above files
You may have to Restart your computer again before it will work
If you can, ensure you update it
Restart your computer into SAFE MODE

Run About:Buster in Safe mode
Scan twice, make sure you save the logs
Run Ad-Aware in safe mode
Clean all critical objects as I explained before

Restart back in Normal Mode, run About:Buster again

Access your Internet options for IE via Control panel
Under the Security tab>>Custom Level
See if these are set
Download Signed Active X controls --- Prompt
Download Unsigned Active X controls --- Disable
Initialize and script active X Not marked safe---Disable
Run Active X controls-- Enable
Script Active X controls marked safe for scripting---Enable

Scroll down and see if Active Scripting is enabled
RESTART your browser

See if you can run the Online Virus scans at RAV'S and Panda's
If still no luck, try adding either of those sites to your
Trusted Sites

Do what you can, Post back with a Fresh hijackthis log and About:Buster logs
If you can get the scan at RAV's to run please post the results too, thanks

If you can, can you also open up Hijackthis>>>Config>>Misc Tools>>Open Hosts File Manager>>Click the "Open In Notepad" button
Copy and paste the whole contents of the Hosts notepad file back here too

guestolo · « **Reply #10 on:** November 24, 2004, 09:28:37 PM »

Forgot to log in, reply above was from me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

Removed Riched20.dll
and Riched32.dll

deduemjo · « **Reply #11 on:** November 25, 2004, 02:55:03 AM »

Im in the UK - 8:00 BST.

Bit more progress but not much

1. Downloaded LOP installer - seemed to work OK - and restarted computer (slightly faster?or is it me. Didn't get the configuration conflicts error when going into IE)
2. Couldn't rename riched20 - said 'access is denied - the source file may be in use'. So didn't download the new riched files you suggest - should I have done?
3. Browser settings regarding Active X are all as you suggested
4. Tried copying and pasting Rav's into trusted sites- wouldn't let me - said ' needed prefix to ensure secure connection https://prefix

Still getting the Windows Security Firewall warning.
Look forward to next installment!

guestolo · « **Reply #12 on:** November 25, 2004, 08:39:32 AM »

I need to see an updated Hijackthis log
And I would like to see the About:buster logs

Try Restarting into safe mode and rename RICHED20.DLL>>>RICHED20.OLD

Ensure that you download Both those files and try Ad-Aware again
At minimum make sure you download Riched32.dll
Remember to save it to the proper folder

When you try and add those sites to the Trusted Zones
Try entering these exact addresses

http://www.ravantivirus.com

or

try these addresses
http://housecall.trendmicro.com/
and/or Panda's
http://www.pandasoftware.com/
In the Trusted zones settings you may have to take the check out of
"Require server verification(https)........"
If the above doesn't work

I'll check back later.....Make sure you post a fresh hijackthis log and About:Buster logs
Make sure you run scans in safe mode with about:buster and ad-aware
if you can get it to run
Remember to try renaming that file in safe mode

deduemjo · « **Reply #13 on:** November 30, 2004, 07:09:52 AM »

Would you believe my ISP erroneously cut me off and I've only just got back on-line.
Hope you're still around.
I'll set about your latest set of instructions now

deduemjo · « **Reply #14 on:** November 30, 2004, 07:18:20 AM »

Here's the current Hijack This log - not from safe mode

Logfile of HijackThis v1.98.2
Scan saved at 12:25:35, on 30/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

Guest · « **Reply #15 on:** November 30, 2004, 08:22:53 AM »

1. Ran AboutBuster - as far as i could tell seemed to work(didn't seem to log anything!) BUT - said it have saved log in c:\windows\temporary internet files\content.IE5\S5E7G1IV\ABOUT BUSTER[1]\ABOUTBUSTER\ABLogFile.txt - and i couldn't find it - can only get as far as Temporary Internet Files and then can't see it
2. Renamed the Riched 20 file in safe mode as suggested - this seemed to work
3. Rebooted back into normal mode
4. Couldn't download the 2 riched files you posted - says '404 Page Not Found - The Page you are looking for does not exist on Free Webs,
5. Therefore didn't try rerunning Adaware
6. Tried to add Rav's to trusted zones - got same error until I unchecked the server verification as you suggested. The add then seems to work. Do I now leave the server verification box unchecked - or recheck it again?(Haven't rechecked it yet)
7. Went into Rav's and waited a while whilst it seemed to be updating files for latest version - then it just seemed to redirect me to a page that recommends various software.
8. Will try this - or one of suggested others later - as have to get back to work

Regards

guestolo · « **Reply #16 on:** November 30, 2004, 09:55:55 AM »

Hi again, we're making progress but I still see some nasties in your log
I'm on my way to work also so I'll get you further instructions later

In the meantime, could you try one of those other online AV sites
Something may be redirecting you, we will have to check your hosts file later

Could you also
Download the Trial version of TrojanHunter from this link
http://www.trojanhunter.com/trojanhunter/
This is good for 30 days

After installation you will have to manually update the Latest Ruleset
Go to this link
http://www.trojanhunter.com/trojanhunter/updating/
Download the Latest Ruleset to desktop

Unzip it to your Trojan Hunter folder
Allow to overwrite if prompted
The default location should be C:\Program Files\TrojanHunter

Run a full system scan
Trojan Hunter comes with TrojanGuard, don't enable it for now

After you have ran TrojanHunter, let it fix whatever it finds, restart your computer and post back a fresh hijackthis log

I'll upload you those 2 riched files later, it would be nice to get Ad-Aware running on your system too

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Remember when you download Zip files to choose save to disk rather than Open
If your having troubles saving zip files to disk and they just want to open instead, let me know, we'll have to fix that too.

Guest · « **Reply #17 on:** November 30, 2004, 01:59:59 PM »

Thanks for reply

1. Put panda into trusted websites - server box still unchecked - this Ok?
2. downloaded Active Scan and choseScan all my computer
3. It Found 12 infected files and disinfected them
4. saved report - but cannot open it - says cannot find NOTEPAD.exe (needed to download these files) - could this possibly be the problem with the About Buster logs also?
5. from some notes I made the virus scan appeared to find the following
2 Tr/Dr, 3 TRojans,5 Exploits, and 2 Trj/Sm
Their locations were system.dll, a few temp.exe's, a few app data\sun\java\deployment, a data.dat, a programflies\pl.exe and a recycled\1.exe

Hope this helps

By the way - can't send e-mails at the moment - presumably 'cos I've renamed the RICHED.dll file?

Will now try the trojan download instructions you made

Guest · « **Reply #18 on:** November 30, 2004, 03:11:59 PM »

1. Downloaded trial version of trojan hunter to desktop
2. downloaded latest ruleset to desktop
3. didn't really know how to unzip this into the first one - so just picked up the icon of the ruleset from the desktop and placed it in the first one - seemd to go away and load an update
4. Tried to run scan - got a Rich Edit line insertion error message (due to the renamed rich file?) - however pressed Ok and it seemed to do scan.
5. Found 3 tRojans in Dialler.D.exe and Dialer.Infotel.101 and cleaned them
6. rebooted and here's hijack this log (couldn't open this cos could not load Rich Edit control DLL message - so renamed the riched20OLD file back to RICHED20.DLL (didn't need safe mode) - and it seemed to work

Here's log

Logfile of HijackThis v1.98.2
Scan saved at 20:08:29, on 30/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SCANDS32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\CREATACARD\GOLD\FMREMIND.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IPCFG.EXE] C:\WINDOWS\IPCFG.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SCANDS32.EXE] C:\WINDOWS\SCANDS32.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://www.ravantivirus.com
O15 - Trusted Zone: http://www.pandasoftware.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200110...meInstaller.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

guestolo · « **Reply #19 on:** November 30, 2004, 08:12:16 PM »

Are you saying that you didn't unzip the file to the Trojan Hunter folder?
Do you have an Unzipping utility such as Winzip on your computer
Let me know and we can get you a free one
I prefer IZArc, this is a utility that you can keep for free and is needed in many cases
We'll come back to this
But please let me know if you have something like Winzip installed

I'm uploading Riched32.dll
Save this to your C:\Windows\System folder
Riched32.dll <--removed link

If you have trouble with the above link, try right click on it, Select Copy Shortcut and paste it into the IE address bar and hit Go

We'll see if we can get Ad-Aware to run after that, but let's do this first
A couple files I know are bad, but let's make sure, and there's one I'm not too sure about
So:
Set Windows to Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.

Navigate to the files below
right click on them---left click properties---version
What info can you find on them, including date created and size
Do you know what they're related too

Let's do a Free Online file virus scan on them
Go to this Online Malware Scan
Give this site time to load
http://virusscan.jotti.dhs.org/

Use the browse button and navigate to these files
C:\WINDOWS\IPCFG.EXE
C:\WINDOWS\SCANDS32.EXE
c:\windows\GrabCookie.exe

Right click on each file individually and choose Select
Then use the Submit button
Let it scan each file seperately
Could you post back the results of the scan back here please

For now I will assume they are all bad, unless you know what they're related too
or found bad at the online malware scan

Do another scan with Hijackthis and put a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ojesjimfnxnbap.net/QXE0FBhc7BD9...IbuNZuwy5N.html

O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe

O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Spyware Assassin v.4.0] "C:\PROGRAM FILES\SPYWARE ASSASSIN 4.0\SPYWARE ASSASSIN.EXE"

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

Optionally, remove the next ones too, they are not threats, but not needed on startup
Considered resource hogs, programs can be started manually and work fine without them
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis

Restart your computer

Try running Ad-Aware again, if you can ensure you check for updates and do a Full sytem scan
Remove All Critical objects
Restart your computer again to finish the cleaning process

Don't delete any backups made by hijackthis until we having you running clean
We won't manually delete any files or folders until we're sure about what you find on them
On that note, I see you have BestPopUpKiller installed, probably when you installed Spykiller
You also have Panicwares Popup stopper, you only need one popup stopper
I suggest you see if there is an entry in Add/Remove programs to remove Bestpopup killer and uninstall it, I assume you didn't pay for it?

We're going to get your computer running clean again and put some tools on your computer to help keep it that way
Let's make sure that we get the files needed on your computer first and we get you clean

Post back with a fresh Hijackthis log after you have tried the above
Could you also let me know if you have an unzipping utility

Another request, this hijackther has a tendency of removing some files from the computer
You say you have Spybot installed
Can you open Spybot>>Help>>about
Let me know Spybot version and Latest update detection date

Also check for this file for me please
Navigate to your Spybot folder
By default it should be in this location
C:\Program Files\Spybot - Search & Destroy
Open it and let me know if you can find this file, it should be there
SDHelper.dll
If it's not there we can replace it easily, or simply uninstall Spybot and redownload it
Search for updates and Check for problems
Fix Everything in RED
Restart your computer to finish the cleaning

Seems like a bit of work, but you should notice an improvement in overall performance when we're done

Along with the request above and new Hijackthis log
Could you also open Hijackthis>>Config>>Misc Tools>>Open Hosts file manager
Click the "Open In notepad"
Copy and paste the Whole contents of the hosts notepad file back here too
If you have trouble opening it, it may mean the hijacker deleted the hosts file too...
Let me know, we again can easily replace it

One more last request
Navigate to C:\Windows folder
Highlight it, on the right hand side look for Control.exe
Again, it should be there, if not we can easily replace it
We'll have to get you an unzipping utility first if you don't have Winzip
You won't have to pay for this

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I guess that's enough for this round, I hope I'm not making this too tough on you

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Just a quick edit
I noticed you said this and I missed it

Quote

says cannot find NOTEPAD.exe

It's very possible one of the infections has removed notepad.exe from the default location
Can you please download this file and save it to your C:\Windows folder
Notepad.exe <--removed link
Allow it to overwrite if prompted
This should allow notepad to work properly
Again, if the link doesn't work properly, copy and paste the shortcut to the IE address bar and hit GO

News:

Author Topic: CWS.hiddendll (Read 10266 times)

Guest

Guest

Guest

Guest