Author Topic: coolwwwsearch.leftovers plz help !!! (Read 4826 times)

Omarr · « **on:** March 02, 2005, 12:06:44 AM »

if anyone could help me plz...

im desperate... i tried everyhting... spybot, adaware and some other adware removers... also norton and antivir, none work at all..

this is the hijack log.

hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 04:06:06 p.m., on 01/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\AUDIOCNTL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RUNDII32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\TIMER\NTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZENG09.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\MIS DOCUMENTOS\HIJACKTHIS\HIJACKTHIS.EXE
C:\ARCHIVOS DE PROGRAMA\SYMANTEC\LIVEUPDATE\AUPDATE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi....yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.altazorcafe.com/oldtownaccess.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=c:\windows\system\audiocntl.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {C58E8641-8791-11D9-A186-0011621DF794} - C:\WINDOWS\SYSTEM\HPHK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [RundII32] C:\WINDOWS\system\RundII32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Audiocntl] c:\windows\system\audiocntl.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Library Timer 2.0.LNK = C:\Archivos de programa\Timer\ntimer.exe
O4 - Startup: Iniciar el explorador Internet Explorer.lnk = C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...b31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme...loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...b31267.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O18 - Filter: text/html - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL
O18 - Filter: text/plain - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL

thanks in advance.

guestolo · « **Reply #1 on:** March 02, 2005, 12:39:07 AM »

Recommend you print this out or save it to a Notepad file on the desktop
Close down all browser windows

Open Hijackthis>>Open Misc tools>>Open process Manager and kill these processes
if running
C:\WINDOWS\SYSTEM\RUNDII32.EXE
C:\WINDOWS\SYSTEM\AUDIOCNTL.EXE

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi....yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F1 - win.ini: run=c:\windows\system\audiocntl.exe

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {C58E8641-8791-11D9-A186-0011621DF794} - C:\WINDOWS\SYSTEM\HPHK.DLL

O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [RundII32] C:\WINDOWS\system\RundII32.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O4 - HKLM\..\RunServices: [Audiocntl] c:\windows\system\audiocntl.exe

O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll

O18 - Filter: text/html - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL
O18 - Filter: text/plain - {AB66A0A2-8A65-11D9-A186-00112DE5B76F} - C:\WINDOWS\SYSTEM\HPHK.DLL

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your computer into Safe mode
You can do this by tapping the F8 key as the system is booting up

Find and delete these files if found
C:\WINDOWS\ZSERV.DLL <--file

C:\WINDOWS\FARMMEXT.exe <--file
C:\WINDOWS\system\RundII32.exe <--take note of the spelling and directory, don't touch rundll32.exe in the Windows folder

c:\windows\system\audiocntl.exe <--file
C:\WINDOWS\SYSTEM\HPHK.DLL <--file

C:\WINDOWS\TEMP\SE.DLL <--file, Let me know if you can find this one
Then go ahead and delete the Whole contents of the Temp folder

Restart back into Normal mode

Post back a fresh Hijackthis log

Could you also
Download STARTDRECK

Unzip it to it's own folder

run StartDreck.exe:
Hit: -config
Hit: -Unmark all

Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log

Guest · « **Reply #2 on:** March 02, 2005, 01:32:06 AM »

ty

here is the log.....

the file C:\WINDOWS\TEMP\SE.DLL is not on my computer ..... is supost to be there???

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

StartDreck (build 2.1.7 public stable) - 2005-03-01 @ 22:51:25 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Windows 98 at II

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Hidserv=Hidserv.exe run
*Videocntl=c:\windows\system\videocntl.exe
»RunServicesOnce
**iow=rundll32 C:\WINDOWS\RAYAEO.BMP,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
»Files
»System/Drivers
»Running Processes
+FFEFB4AD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF771=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFFF69=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFEA19=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB099=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEBE71=C:\WINDOWS\RUNDLL32.EXE
+FFFE8CBD=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE6601=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFEC9DD=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFD10BD=C:\WINDOWS\SYSTEM\VIDEOCNTL.EXE
+FFFED755=C:\WINDOWS\EXPLORER.EXE
+FFFC25CD=C:\WINDOWS\TASKMON.EXE
+FFFC1C79=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC6091=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC51F9=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFC9231=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFCB2B1=C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
+FFE35955=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE3673D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFD5865=C:\WINDOWS\NOTEPAD.EXE
+FFE23709=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE130D5=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFE2AC11=C:\MIS DOCUMENTOS\STARTDRECK\STARTDRECK.EXE
»Application specific

ty i will restart to see if that thing is gone ...

guestolo · « **Reply #3 on:** March 02, 2005, 01:40:51 AM »

No need to restart yet, I need to see a fresh hijackthis log

EDIT>>>
I'm afraid I'm off to bed for the evening, I won't be able to see your logs until tomorrow

Do what you can again from my first post I gave you, I still see some entries that should be gone

We still have to get rid of some hidden entries
se.dll may be one of them
If you can, try just to fix what I asked previously, if you can't find something just let me know about it

I will need you to supply me with a fresh hijackthis log
You may as well supply me with a fresh startdreck log also

omarr · « **Reply #4 on:** March 02, 2005, 04:28:42 PM »

Here is the hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 01:57:49 p.m., on 02/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CMX32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\TIMER\NTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\MIS DOCUMENTOS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.altazorcafe.com/oldtownaccess.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=c:\windows\system\cmx32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Cmx32] c:\windows\system\cmx32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Library Timer 2.0.LNK = C:\Archivos de programa\Timer\ntimer.exe
O4 - Startup: Iniciar el explorador Internet Explorer.lnk = C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

StartDreck Log.

StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 14:01:21 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at II

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Hidserv=Hidserv.exe run
*Cmx32=c:\windows\system\cmx32.exe
»RunServicesOnce
**qmmb=rundll32 C:\WINDOWS\RAYAEO.BMP,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
»Files
»System/Drivers
»Running Processes
+FFEFB7D9=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF405=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFF975=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFCFA1=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFC5F1=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEA009=C:\WINDOWS\RUNDLL32.EXE
+FFFE8B5D=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFEEA15=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFEE1A1=C:\WINDOWS\SYSTEM\CMX32.EXE
+FFFC716D=C:\WINDOWS\EXPLORER.EXE
+FFFDBA05=C:\WINDOWS\TASKMON.EXE
+FFFD8AFD=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC4EE9=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFCBA7D=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFCAA05=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFD7505=C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
+FFFD776D=C:\ARCHIVOS DE PROGRAMA\TIMER\NTIMER.EXE
+FFFDFA69=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE229F9=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFEE241=C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
+FFE10635=C:\WINDOWS\NOTEPAD.EXE
+FFE10D11=C:\MIS DOCUMENTOS\STARTDRECK\STARTDRECK.EXE
+FFE14AC5=C:\ARCHIVOS DE PROGRAMA\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
»Application specific

the thing was removed .... but it came back with another name... i remove some things and is gone but im afraid that in next restar it will come back

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Thanks in advance.

guestolo · « **Reply #5 on:** March 02, 2005, 10:53:43 PM »

In the Startdreck log this line has indicated some of your problems
RunServicesOnce
**qmmb=rundll32 C:\WINDOWS\RAYAEO.BMP,DllGetClassObject

First can you save this zipped file, Remove.zip, and ensure that you UNZIP it to your desktop, so now you will have Remove.reg on your desktop
Don't run it yet, but we'll need it soon
[attachment=50:attachment]

NEXT: Could you download and save to desktop the Standalone version of CWShredder.exe
Don't run it yet, but download for now

Can I get you to Print the rest of this out please or write down the below instructions

I need you to Restart your computer into MS-Dos Mode
START>>Shutdown>>select Restart in MS-DOS mode
OK

At restart you should be at this prompt

C:\WINDOWS>

Type in the below excluding the (Enter), that indicates hitting Enter on your Keyboard>>>Take note of all the spaces too

attrib -r -s -h C:\WINDOWS\RAYAEO.BMP (Enter)
ren RAYAEO.BMP RAYAEO.OLD (Enter)
cd C:\WINDOWS\TEMP (Hit Enter)

Now you should see this
C:\WINDOWS\TEMP>
type
attrib -r -s -h C:\WINDOWS\TEMP\SE.DLL (Enter)
ren SE.DLL SE.OLD (Enter)
del *.* (Enter)
You should get a prompt to select (YorN)
Select Y on the keyboard and hit (Enter)
Type
cd C:\WINDOWS\SYSTEM (Enter)

You should see this now
C:\WINDOWS\SYSTEM>
Type
del cmx32.exe (Enter)
del HPHK.DLL (Enter)
Don't worry about any file not found message
Type
edit C:\WINDOWS\WIN.INI (Enter)

That should load a new blue screen where you should possibly see something like the below near the top
[WINDOWS]
Load=
Run=c:\windows\system\cmx32.exe

Use the arrow keys and the Delete or Backspace button on the keyboard to edit this line ONLY
Run=c:\windows\system\cmx32.exe
to look like this
Run=

Click the ALT button on the keyboard to change to FILE at the top and use the arrow key to dropdown and SAVE the change>>Hit (Enter)

Use CTRL+ALT+DEL to Restart your computer back to Normal mode

This should restart the computer back in Normal mode

If you want a rundown of what that should all look like with all the spaces, I've included below the same commands with = signs indicating where there should be a single space, you will not input the = sign, just the space
======================================================
attrib=-r=-s=-h=C:\WINDOWS\RAYAEO.BMP
ren=RAYAEO.BMP=RAYAEO.OLD
cd=C:\WINDOWS\TEMP

attrib=-r=-s=-h=C:\WINDOWS\TEMP\SE.DLL
ren=SE.DLL=SE.OLD
del=*.*

cd=C:\WINDOWS\SYSTEM

del=cmx32.exe
del=HPHK.DLL

edit=C:\WINDOWS\WIN.INI
======================================================

Immediately back in Normal mode, don't open a browser yet

Look for these files and delete them
C:\WINDOWS\RAYAEO.old <--file
Also ensure this one doesn't exist
C:\WINDOWS\TEMP\se.old <--file, may not exist as we emptied the files in the temp folder earlier
c:\windows\system\cmx32.exe <--may not exist

Do another scan with Hijackthis and put a check next to these entries that still remain

F1 - win.ini: run=c:\windows\system\cmx32.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O4 - HKLM\..\RunServices: [Cmx32] c:\windows\system\cmx32.exe

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on Remove.reg you Unzipped earlier to desktop and allow it to merge to the registry

Run CWShredder>>Click ONLY the FIX button, let it fix what it finds

RESTART your computer afterwards

Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Come back here and post a fresh hijackthis log and a fresh Startdreck log

Omarr · « **Reply #6 on:** March 03, 2005, 01:13:46 AM »

Well still on my compu... this thing is powerfull....

my hijack LOG.

Logfile of HijackThis v1.99.1
Scan saved at 10:44:33 p.m., on 02/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\MIS DOCUMENTOS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.altazorcafe.com/oldtownaccess.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {E736894F-8B22-11D9-A186-001162E0C140} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O18 - Filter: text/html - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O18 - Filter: text/plain - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL

===================================

StartDreck LOG.

StartDreck (build 2.1.7 public stable) - 2005-03-02 @ 22:45:10 (GMT -06:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as at II

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
*Yahoo! Pager=C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*MsnMsgr="C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
*Yahoo! Pager=C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\ypager.exe -quiet
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Hidserv=Hidserv.exe run
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
*{E736894F-8B22-11D9-A186-001162E0C140}
`InprocServer32=C:\WINDOWS\SYSTEM\DKFLP.DLL
»Files
»System/Drivers
»Running Processes
+FFEFB043=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFF39F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFFEEF=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFC83F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0CCF=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEADAF=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFEB703=C:\WINDOWS\EXPLORER.EXE
+FFFD43DF=C:\WINDOWS\TASKMON.EXE
+FFFD4C57=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD135F=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFD8BB7=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFDA5BF=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFDC21F=C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
+FFE39A37=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFE3F05F=C:\ARCHIVOS DE PROGRAMA\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
+FFFCC3FF=C:\WINDOWS\RUNDLL32.EXE
+FFE24153=C:\MIS DOCUMENTOS\STARTDRECK\STARTDRECK.EXE
»Application specific

Thanks for all your time....

guestolo · « **Reply #7 on:** March 03, 2005, 01:32:30 AM »

We got part of it anyways

Try this
Download the Pocket Killbox
UNZIP it to a folder of your choice

Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet

Run Pocket KillBox>>Now you have Killbox and this notepad file open
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them
click on Tools --> Select Delete Temp Files. Click OK.

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold

C:\WINDOWS\SYSTEM\DKFLP.DLL

Select the radio button to
Delete on Reboot
Additionally, select the "Unregister .dll before deleting"
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for this file
C:\WINDOWS\TEMP\SE.DLL

But this time if prompted to Reboot select YES
If not prompted reboot anyways

Back in Windows
Keep all other windows closed

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E736894F-8B22-11D9-A186-001162E0C140} - C:\WINDOWS\SYSTEM\DKFLP.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL
O18 - Filter: text/plain - {2DF99342-8B6C-11D9-A186-0011E6717D0A} - C:\WINDOWS\SYSTEM\DKFLP.DLL

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART the computer again

Post back a fresh Hijackthis log and one more Startdreck log

Guest · « **Reply #8 on:** March 03, 2005, 02:22:26 AM »

thanksss so much....

i free of those bugs now

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TY TY TY

im so glad that people like you helps us ( the newbies)

thanks !!

have a great time

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #9 on:** March 03, 2005, 02:23:49 AM »

Is that you Omarr?

Can you please post one last Hijackthis log and Startdreck log
It would be very useful, thanks

TheTechGuide Forum

News:

Author Topic: coolwwwsearch.leftovers plz help !!! (Read 4826 times)

Omarr

coolwwwsearch.leftovers plz help !!!

guestolo

coolwwwsearch.leftovers plz help !!!

Guest

coolwwwsearch.leftovers plz help !!!

guestolo

coolwwwsearch.leftovers plz help !!!

omarr

coolwwwsearch.leftovers plz help !!!

guestolo

coolwwwsearch.leftovers plz help !!!

Omarr

coolwwwsearch.leftovers plz help !!!

guestolo

coolwwwsearch.leftovers plz help !!!

Guest

coolwwwsearch.leftovers plz help !!!

guestolo

coolwwwsearch.leftovers plz help !!!