Author Topic: new post ..because other so long (Read 1725 times)

meelox · « **on:** January 06, 2005, 02:02:57 AM »

sorry ... I am learning so much. I didn't realize I didn't log in.
I did all that you told me to do and here are the results:

NEW DLL LOG from DLL compare:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

986 items found: 986 files, 0 directories.
Total of file sizes: 186,847,303 bytes 178.19 M

--------------------End log---------------------

NEW LOG from HIJACK THIS !:
Logfile of HijackThis v1.99.0
Scan saved at 12:51:30 AM, on 1/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\BUG KILLERS\HOSTER\HOSTER.EXE
C:\BUG KILLERS\HOSTER\HOSTER.EXE
C:\WINDOWS\CLIPBRD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVXNL32.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

do you need the hoster log file

guestolo · « **Reply #1 on:** January 06, 2005, 02:14:15 AM »

No, but I need to see the log from find.bat
We still have some cleaning to do, please take the time to run one

You will notice on the last thread

Your log looked like this

- Strings.exe Qoologic Results ------------

C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
C:\WINDOWS\yuqpoz.dll: updates.qoologic.com
C:\WINDOWS\zuaqwm.exe: updates.qoologic.com
------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
C:\WINDOWS\yuqpoz.dll: updates.qoologic.com
C:\WINDOWS\zuaqwm.exe: updates.qoologic.com

I edited out the long line that followed after ncoget.dll to fit in this screen, could you do the same please, thanks

meelox · « **Reply #2 on:** January 06, 2005, 02:20:54 AM »

will do...

meelox · « **Reply #3 on:** January 06, 2005, 02:47:11 AM »

I hope I did that right, I only seen that one huge file, with every url known to man

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2435-13D6
Directory of C:\WINDOWS\SYSTEM

HPLOFHAS EXE 385,024 11-04-04 6:27p hplofhas.exe
1 file(s) 385,024 bytes
0 dir(s) 8,658.28 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2435-13D6
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 12-26-04 5:32p folder.htt
DESKTOP INI 266 12-26-04 5:32p desktop.ini
E_QI021E GID 8,628 12-03-04 11:24p E_QI021E.GID
HPLOFHAS EXE 385,024 11-04-04 6:27p hplofhas.exe
CTF <DIR> 08-31-04 2:08p CTF
HPHIPCL GID 30,367 05-22-04 2:46p hphipcl.GID
HPFUIH05 GID 8,628 02-12-04 12:12a hpfuih05.GID
6 file(s) 446,035 bytes
1 dir(s) 8,658.27 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{21A21720-5D09-11D9-B700-B4AC6A7A4D1F}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Sun Dec 26 2004 5:32:30p ...H. 13,122 12.81 K
desktop.ini Sun Dec 26 2004 5:32:30p ...H. 266 0.26 K
e_qi021e.gid Fri Dec 3 2004 11:24:28p A..H. 8,628 8.43 K
hplofhas.exe Thu Nov 4 2004 6:27:16p ..SHR 385,024 376.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 407,040 bytes 397.50 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,
C:\WINDOWS\opnabu.dll: updates.qoologic.com
C:\WINDOWS\yuqpoz.dll: updates.qoologic.com
C:\WINDOWS\zuaqwm.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\aukvby.dat: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXNL32.EXE"

guestolo · « **Reply #4 on:** January 06, 2005, 03:33:32 AM »

Okay, we still have some work to do, some files I don't recognize right now
I probably won't see your reply until I get off work tomorrow so try and do what you can

Again from the last instructions save this to a Notepad file and leave it open
Disconnect from the Internet

Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\opnabu.dll

Press the button with a red circle and a white X (Delete File)
When asked if you would like to Reboot, select No.

Do the same for all these:

C:\WINDOWS\yuqpoz.dll

C:\WINDOWS\aukvby.dat

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\zuaqwm.exe

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Your computer should restart
When back in Windows

Open Hoster and and click on "Restore Original Hosts"

Follow my instructions from the previous post if you lose Internet connection
We can still clean that out at a later time

I see your not running any Anti-Virus software
Can you please download
AVG Free
Install it and let me know if it will run, if it will can you let it update and run a full system scan

We may still have some cleaning to do with findit.bat

As I mentioned, I won't see your reply until tomorrow
Can you do as much as you can, rebooting minimally, if at all, except after using Killbox
We should eventually get you clean and running smooth. You have a few infections to get rid of first.....

By the way, don't try and touch these entries
with any version of Hijackthis
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
That is what LSP fix is for if we need it

Post back one More Hijackthis log and a log from Find.bat, I know the scan from find.bat takes awhile but we need it for this infection until an automatic fix is developed.......

meelox · « **Reply #5 on:** January 06, 2005, 03:40:31 AM »

okay... it is late here ..but I will leave computer as is, after i do your latest instructions, with out internet access ....thanks you so so much!
I have to get up at six .. but I will post back the results ...thanks so much...Meelox

meelox · « **Reply #6 on:** January 07, 2005, 01:40:15 AM »

Hey Guestolo,
I had to work tonight but here is what i have done (not much):
downloaded AVG ran the updates, scan my system it got rid of som files that were on my computer (but i could find anyway to copy what it did other than Screen capture...which i did) but I am not sure how to post .jpg files in this forum.
One thing that AVG did was remove those aklsp.dll's (no longer in hijack log)
I tried to return to the net but "no internet connection" so I did the LSP thing you told me to do. That did not help..as the file was already removed by AVG.
I tried to repair internet explorer and it said corrupt file download and re-install, I had a copy of it on my computer (from a few months back) so I reinstalled. That worked.
I also tried to delete somethings to the recycle bin but when connection was lost I restored all that I had deleted. Seems I am not much without you!
Here are my latest log files... I know its late so post when you can, if you can..
Meelox

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

980 items found: 980 files, 0 directories.
Total of file sizes: 187,705,513 bytes 179.01 M

--------------------End log---------------------

Logfile of HijackThis v1.99.0
Scan saved at 11:28:23 PM, on 1/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVXNL32.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2435-13D6
Directory of C:\WINDOWS\SYSTEM

HPLOFHAS EXE 385,024 11-04-04 6:27p hplofhas.exe
1 file(s) 385,024 bytes
0 dir(s) 8,584.16 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2435-13D6
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 12-26-04 5:32p folder.htt
DESKTOP INI 266 12-26-04 5:32p desktop.ini
E_QI021E GID 8,628 12-03-04 11:24p E_QI021E.GID
HPLOFHAS EXE 385,024 11-04-04 6:27p hplofhas.exe
CTF <DIR> 08-31-04 2:08p CTF
HPHIPCL GID 30,367 05-22-04 2:46p hphipcl.GID
HPFUIH05 GID 8,628 02-12-04 12:12a hpfuih05.GID
6 file(s) 446,035 bytes
1 dir(s) 8,584.14 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{21A21720-5D09-11D9-B700-B4AC6A7A4D1F}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Sun Dec 26 2004 5:32:30p ...H. 13,122 12.81 K
desktop.ini Sun Dec 26 2004 5:32:30p ...H. 266 0.26 K
e_qi021e.gid Fri Dec 3 2004 11:24:28p A..H. 8,628 8.43 K
hplofhas.exe Thu Nov 4 2004 6:27:16p ..SHR 385,024 376.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 407,040 bytes 397.50 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\ncoget.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.rson.net,
C:\WINDOWS\opnabu.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGAMSVR.EXE"
"kalvsys"="C:\\WINDOWS\\SYSTEM\\KALVXNL32.EXE"

meelox · « **Reply #7 on:** January 07, 2005, 01:41:39 AM »

One more thing I ran an updated AVG complete scan tonight and it found nothing! Yeah!

meelox · « **Reply #8 on:** January 07, 2005, 02:03:56 AM »

I also wanted tell you that I have re-installed IE several times this week...using a file that I downloaded from the microsoft web just this week..when i do the critical updates I get an error message on reboot ..that says a file is missing (can't remember the file name) and then I can't open my mail in outlook express, error message in mmsie.dll or something like that. Sorry I know you need to know the exact name but I am afraid to do the critical updates until i here from you..afraid I will lose net connection again. When I try to repair IE from control panel I get a message saying the file is corrupt and i need to re-install.
That the reasons I used the old file that I already had on my computer from months ago to reinstall IE. This install is working for now but still no critical updates.

guestolo · « **Reply #9 on:** January 07, 2005, 02:07:08 AM »

We'll try some steps here, just give me a few minutes
Sorry, I meant that in the nicest way

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #10 on:** January 07, 2005, 02:33:01 AM »

Sorry for the wait, company just came over, a short visit, blah blah blah

Good work on updating IE, sorry about getting booted offline
We should of used LSP fix a little sooner

You may of not noticed aklsp.dll in the KEEP side anymore, not sure, if it wasn't there you would simply open LSP fix and click the FINISH button, can't just click the x to close and then restart your computer
Not sure what you tried, but good work anyways
I'd prefer you use the updated IE anyway

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Let's run through this one last time

Save to a notepad file again and leave this open on the desktop

IN Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\ncoget.dll

Press the button with a red circle and a white X (Delete File)
When asked if you would like to Reboot, select No.

Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\opnabu.dll

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

Your computer should restart
When back in Windows

Open Hoster and and click on "Restore Original Hosts"

If I remember correctly you have Ad-Aware SE Personal 1.05
Can you check for updates with it right now, but don't run a scan yet

Could you also download a couple others please
Download and Install Spybot S&D 1.3
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Don't run a scan yet

Another great utility to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup
A small download, once it's installed
Don't run a scan yet

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVXNL32.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Open VX2 finder and click to find VX2.betterinternet
on the right hand side click the USER AGENT$ button

If you can, at this time Restart your computer into SAFE MODE

Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back into Safe mode to finish the cleaning process

Open Spybot---Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer back to safe mode to finish the Cleaning process

Open CleanUp---Click Cleaup and let it scan for files
When it's finished scanning it will prompt you to log off or restart
Please Restart back to Normal mode at this time

msoe.dll is an OE file, let me look into it, we can hopefully get you all back to normal or cleaner
later, I wish we had more time right now
You don't know the exact error do you and dll name?

Do as much as you can from the above and then post back a Fresh hijackthis log

Could you also post a startup list from Hijackthis
Open the Misc Tools Section
Click the "List all minor sections (full)"
Click the Generate startup list

Run another scan with VX2 finder and post a log

And if you could, one last log from find.bat

Sooner or later we have to get you to do Windows updates and also some Preventive tools so this won't happen again

EDIT>>Removed a double posting in part of this reply

meelox · « **Reply #11 on:** January 08, 2005, 12:04:44 AM »

Hi again... thanks for the post and I don't think I have told you yet how much i appreciate this..you have made my online life pleasant again!

I followed all of your instructions except the find scan again and I will do it next:
here are my log files:
Logfile of HijackThis v1.97.7
Scan saved at 10:55:04 PM, on 1/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

StartupList report, 1/7/05, 10:52:22 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
EnsoniqMixer = starter.exe
EPSON Stylus CX5400 = C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
AVG7_CC = C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[c607b4e0-53ff-11d9-b700-00a0d217d98c] *
StubPath = C:\WINDOWS\zuaqwm.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 7/1/2005, 22:37:22)

[Rename]
NUL=C:\WINDOWS\SYSTEM\auto_update_uninstall.log
NUL=C:\WINDOWS\SYSTEM\auto_update_uninstall.exe
NUL=C:\Program Files\autoupdate\libexpat.dll
NUL=C:\WINDOWS\Desktop\j2re-1_4_2_06-windows-i586-p.exe
NUL=C:\WINDOWS\hosts
NUL=C:\WINDOWS\wplog.txt
NUL=C:\WINDOWS\Favorites\The State cars.com.url
NUL=C:\WINDOWS\Favorites\reverse address .url
NUL=c:\protas.exe
NUL=c:\Program Files\Recommended Hotfix - 421701D\v15\RH.exe
NUL=c:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.15\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.14\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.12\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.11\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.10\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.9\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.8\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.7\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.6\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.13\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1015.dll
NUL=c:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll
NUL=c:\WINDOWS\SYSTEM\error32.dat
NUL=c:\/windows/downloaded program files/conflict.15/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.14/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.13/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.12/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.11/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.10/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.9/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.8/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.7/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.6/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.5/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.4/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.3/hdplugin1015.dll
NUL=c:\/windows/downloaded program files/conflict.1/hdplugin1015.dll
NUL=C:\Program Files\Recommended Hotfix - 421701D
NUL=C:\Program Files\autoupdate

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG7\BOOTUP.EXE
SET BLASTER=A240 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
; --- SB PCI mod --- Device=C:\WINDOWS\himem.sys
Device=C:\DEV\D011v110.sys /D:mscd000

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\WINDOWS\COMMAND\MSCDEX.EXE /D:mscd000 /V /M:12
C:\AUDIOPCI\APINIT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Download Program Files:

[{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 8,043 bytes
Report generated in 0.716 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Log for VX2.BetterInternet File Finder (ver126)

Files Found---

User Agent String---

I am going to run the find scan, but I have to leave for about an hour so i will post it back when i get back (i have to pick up my son) can you tell me is there a way I can keep that find.bat on my computer because it deletes when i close it, then i have to download it again everytime.

does it always do that?? will be back in a bout an hour.

guestolo · « **Reply #12 on:** January 08, 2005, 01:13:54 AM »

I hope to see your reply tonight

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Can I get you to post a fresh hijackthis log from version 1.99, with the log from find.bat
I don't need a new startup list

Could you also do a search in your C:\Windows\System folder for
*.dat

When you get the list, find one recently created. Right click on it, open in Notepad and look for this in the first line of the file:
This program cannot be run in DOS mode.
Post back the exact name if you find one

Could you also download Runkey.zip

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here.

meelox · « **Reply #13 on:** January 08, 2005, 01:35:32 AM »

First of all, let me say that I found the find.dat on my computer, so I am not loosing it anymore, this time when i closed it it didn't say deleting.

Next I search *.dat, when i ran your post I check several of the last couple of days *.dat files and there was nothing (that I could read) that said "This program cannot be run in DOS mode."

here are the logs you asked for :
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2435-13D6
Directory of C:\WINDOWS\SYSTEM

HPLOFHAS EXE 385,024 11-04-04 6:27p hplofhas.exe
1 file(s) 385,024 bytes
0 dir(s) 8,603.28 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 2435-13D6
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 12-26-04 5:32p folder.htt
DESKTOP INI 266 12-26-04 5:32p desktop.ini
E_QI021E GID 8,628 12-03-04 11:24p E_QI021E.GID
HPLOFHAS EXE 385,024 11-04-04 6:27p hplofhas.exe
CTF <DIR> 08-31-04 2:08p CTF
HPHIPCL GID 30,367 05-22-04 2:46p hphipcl.GID
HPFUIH05 GID 8,628 02-12-04 12:12a hpfuih05.GID
6 file(s) 446,035 bytes
1 dir(s) 8,603.27 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
folder.htt Sun Dec 26 2004 5:32:30p ...H. 13,122 12.81 K
desktop.ini Sun Dec 26 2004 5:32:30p ...H. 266 0.26 K
e_qi021e.gid Fri Dec 3 2004 11:24:28p A..H. 8,628 8.43 K
hplofhas.exe Thu Nov 4 2004 6:27:16p ..SHR 385,024 376.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 407,040 bytes 397.50 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\ipebase11.dll: ??0ECalMonitor@@QAE@PAUMONITOR_CAL@@@Z

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGAMSVR.EXE"

Logfile of HijackThis v1.99.0
Scan saved at 12:26:48 AM, on 1/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS-1.EXE

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"EPSON Stylus CX5400"="C:\\WINDOWS\\SYSTEM\\E_S4I2G1.EXE /P19 \"EPSON Stylus CX5400\" /O5 \"LPT1:\" /M \"Stylus CX5400\""
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVG7\\AVGAMSVR.EXE"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@="{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

thanks.

guestolo · « **Reply #14 on:** January 08, 2005, 02:00:51 AM »

I think we just about nailed everything

Can you do some final checks
Navigate to these files and right click on them and select Properties
Version tab if one
What are they related too
HPLOFHAS EXE
e_qi021e.gid

they should be in your C:\WINDOWS\SYSTEM\ folder
Do you have an HP Scanner?

Also look for this one
ipebase11.dll in the same folder

and this one
C:\WINDOWS\zuaqwm.exe <--probably a nasty

If unsure what they are can you run them thru this Online Malware scan
http://virusscan.jotti.dhs.org/

Give the link time to load if it's busy

Use the browse button and navigate to these files if you can find them
Right click and select them and then use the Submit button
Wait for the scanner results
Let me know if there found as malware

meelox · « **Reply #15 on:** January 08, 2005, 02:11:39 AM »

ipebase11.dll gave me a version tab, it said Hewlett-packard
I used to have a HP printer and scanner (now epson)

this is the answer I got from the link you gave me:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

e_qi021e.gid ...this could be my an epson file most all of the epson files start that way e_ ... but i don't know

guestolo · « **Reply #16 on:** January 08, 2005, 02:15:38 AM »

I'm more suspicious of this one
C:\WINDOWS\zuaqwm.exe

Can you let me know about this one too
hplofhas.exe

meelox · « **Reply #17 on:** January 08, 2005, 02:25:11 AM »

okay..i must be an idiot(yep) iwas not using the virus scan link that you gave me the right way ... I went back and the HPLOFHAS EXE
is a virus ... I cant even find C:\WINDOWS\zuaqwm.exe on my computer.

guestolo · « **Reply #18 on:** January 08, 2005, 02:26:48 AM »

Well, let's get some final cleanup on your log

Give me a minute or so and I'll post back

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\c607b4e0-53ff-11d9-b700-00a0d217d98c][-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\c607b4e0-53ff-11d9-b700-00a0d217d98c]

Double-click on KillBox.exe.
4.Click "Replace on Reboot" and check the "Use Dummy" box.
5.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM\hplofhas.exe

6.Click the "Delete File" button which looks like a stop sign.
7.Click "Yes" at the Replace on Reboot prompt.
8.Click "No" at the Pending Operations prompt.

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\zuaqwm.exe

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.

Back in Windows Double click on fix.reg and allow it to merge to the registry

Let me know if hplofhas.exe is gone

Could you install this program please
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

Post back a fresh Hijackthis log and a new Hijackthis startup list
Remember to check "List all minor sections (full)"

meelox · « **Reply #19 on:** January 08, 2005, 02:48:22 AM »

not sure where to find this "Back in Windows Double click on fix.reg and allow it to merge to the registry"

forget that last thing i said , i got it now ...reread the post

News:

Author Topic: new post ..because other so long (Read 1725 times)