# Solved: Windows Me "Explorer has caused an error in OLE32.DLL"



## zeke13 (Aug 3, 2004)

Hello,

I'm trying to fix a friend's machine. It was infected very badly. I ran Norton, cwshredder, and several spyware removals. I was able to run Firefox. I then tried to reinstall ME and now I get "Explorer has caused an error in OLE32.DLL" everytime I log in (safe mode also). I can't use the start button. I did manage to get the system restore, but the owner never mader a restore start date. When the machine was running I couldn't repair, run, unistall, or upgrade IE. The machine would not let me run Ad-Aware. I'm basically stuck using DOS and have only the ME install CD. Any help would be appreciated.

Thanks in advance,
Zeke


----------



## Rollin' Rog (Dec 9, 2000)

Try the reinstall again. A successfully completed reinstall from valid (OEM or retail Microsoft) reinstallation media (not burned) should not produce that error unless the system is still badly infected.

System restore points are automatically removed during any reinstall, by the way.

I'm going to add that you might want to try loading "progman.exe" per the Microsoft directions here:

http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q279736

In "progman.exe" you may be able to run Internet Explorer and navigate to an online scanner and try running it. Or save as much data as you can pending a "clean install"

http://housecall.trendmicro.com/
http://www.pandasoftware.com/active...guage=2&Country=63&Partner=1&Ref=EN-PR-AS-107


----------



## zeke13 (Aug 3, 2004)

Thanks for quick reply,

I have tried numerous times reinstalling ME. During updating the plug and play I get all kinds of errors. It is a valid Microsoft reinstallation CD.

I wish I could start in "program.exe". but I don't have a startup disk to get to the startup menu. I did make reboot diskette after cleaning up the disk, but the machine does not start from the diskette.

Thanks for the info on the restore points. It's been awhile but I do remember that now. 

Thanks again,
Craig


----------



## Rollin' Rog (Dec 9, 2000)

If you made a standard WinME startup (boot) floppy and it did not take you to an a: prompt, the likely cause would be not having the floppy drive (a: drive) set as the first boot device in the BIOS.

You have to watch the first data displayed on the screen to see what key to press to enter "setup", which is the BIOS.

Otherwise the problem may be with either the floppy itself or the floppy drive.

You don't need a WinME computer to make a WinME bootdisk. You can download the WinME OEM boot floppy setup to the HARD drive of any system, place a floppy in the floppy drive and run the setup to transfer the files (do not download the setup to the floppy drive).

http://bootdisk.com/bootdisk.htm

>> what kinds of errors are you having here:


> During updating the plug and play I get all kinds of errors.


You may have underlying hardware problems such as faulty ram or a bad disk drive.

It would also be a good idea to remove any external hardware -- sound, network, modem cards, etc -- and install those only after setup and hardware detection are complete.


----------



## zeke13 (Aug 3, 2004)

I tried to do another reintall using the custom options, and the bare installation. No multimedia or plug and play.

I received the same errors I talked about earlier:

Windows cannot find '1'. You may have typed the name incorrectly in the Run dialog or another open program cannot find a system file. To search for a file, click the Start button, and then click Search.

Windows cannot find 'FlushRegistry'. You may have typed the name incorrectly in the Run dialog or another open program cannot find a system file. To search for a file, click the Start button, and then click Search.

I don't have a floppy on my XP, so I'm going to burn the boot file to a cd and then copy it using DOS to a floppy. Then I will try to do a start using 'program.exe'.

The main item infecting the machine before I started cleaning it was SpySherrif. Nasty bug!!!

Thanks for the patience and help,
Craig


----------



## Rollin' Rog (Dec 9, 2000)

There are no such Windows files "1" and "Flushregistry" -- so these "missing" files must be something previously installed by 3rd party programs or a part of the OEM installation media you are using. They would not be a part of a Microsoft Retail CD.

Typically their failure to load would not prevent you from starting in Safe Mode. Have you tried that again?

If you do get progman.exe up, run *msconfig* and look under the startup tab. All you need there for now is Scanregistry and System Tray. Everything else can be unchecked.

In creating a bootable floppy, remember that the setup file itself is not what you want on the floppy -- the files that are extracted from the setup must be on the floppy.

When you reinstalled Windows, did you ever reach the point where you were prompted to create a bootable floppy? Windows would have done it for you then.


----------



## zeke13 (Aug 3, 2004)

With quick key stroking I can get the run prompt up in normal mode. I ran msconfig and unchecked all the boxes, except for the 2, and did a reboot. I still receive the ole32.dll error.

The CD I'm using is labeled: Operating System, Reinstallation CD WMe from Dell. It does not ask me to create a floppy. I get the "1" and "Flushregistry" errors during the plug and play portion at the end.

Any new ideas since I can now reach a run prompt?

Greatly appreciated,
Craig


----------



## Rollin' Rog (Dec 9, 2000)

What hardware is currently attached to the system?

When you say you get a "run prompt", does that mean the start button appears and you get it that way? Or do you use the Winkey+R?

Does the Desktop load? Does the ole32.dll also occur when trying a Safe Mode boot?

Can you run explorer.exe and navigate using it? Howabout progman.exe ?

Ole32.dll should be in c:\windows\system -- can you find it, right click on it and select Properties > Version. What is the version number?

can you run *control appwiz.cpl* and open Add/Remove programs? Is Internet Explorer there?

Can you get online?

The Dell OEM CD should be equivalent to the Microsoft Retail CD as far as I know. However Dell should also have provided a "Drivers" CD for any original hardware that came with the computer. Have you tried installing what it will install?


----------



## zeke13 (Aug 3, 2004)

Thanks again for the help,

What hardware is currently attached to the system? monitor only

When you say you get a "run prompt", does that mean the start button appears and you get it that way? Or do you use the Winkey+R? I use the Winkey + R

Does the Desktop load? Does the ole32.dll also occur when trying a Safe Mode boot? The desktop loads. Start button, icons, and quick launches don't work. Yes I do receive the error in Safe Mode boot.

Can you run explorer.exe and navigate using it? Howabout progman.exe ? Neither program works.

Ole32.dll should be in c:\windows\system -- can you find it, right click on it and select Properties > Version. What is the version number? I can only reach the file in DOS and don't know the command to display its properties.

can you run control appwiz.cpl and open Add/Remove programs? Is Internet Explorer there? Yes I can run control. No Internet Explorer is not on the list. Below is the list of programs.
broadjump client foundation
ca etrust pestpatrol
conexant hcf v90 56k data fax pci modem (uninstall)
delete windows millenium unistall information
dell resource cd
easy cd creator 5 basic
epson printer software
epson usb printer devices
hijackthis 1.99.1
kodak easyshare software
lifereg (symantec corporation)
liveupdate 1.6(symantec corporation)
microsoft office xp media content
microsoft office xp small business
mozilla firefox (1.0.6)
norton antivirus 2001
oin
quicktime
sbc yahoo! applications
uninstall windows millenium
visual ip insight(sbc)
winzip
yahoo! install manager

Can you get online? Yes, I can run firefox.exe

The Dell OEM CD should be equivalent to the Microsoft Retail CD as far as I know. However Dell should also have provided a "Drivers" CD for any original hardware that came with the computer. Have you tried installing what it will install? No, I will give this a shot while you look over the rest of the reply.

Many thanks!!!!!


----------



## Rollin' Rog (Dec 9, 2000)

From run, give this command a shot:

*regsvr32 ole32.dll*

you should get a message "dllregisterserver in ole32.dll succeeded"

Can you run Internet Explorer?

The file path will be:

"c:\Program Files\Internet Explorer\iexplore.exe"

You will need to include the quotes.

If IE is also faulting -- try updating it from:

http://www.microsoft.com/downloads/...cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en


----------



## zeke13 (Aug 3, 2004)

This did work:
regsvr32 ole32.dll

you should get a message "dllregisterserver in ole32.dll succeeded"

Yes internet explorer does work properly. I used the browser to locate the version of the dll, it is : 2.30.200.1

IE is version 5.5

The drivers CD starts loading the files, loads about a dozen files in, and then bombs out and goes to the a:\ prompt.

Earlier I had mentioned when plug and play was installing I received 2 errors. One of them concerning a '1' that windows could not find. I looked at my IE connection and there was a modem number with a bunch of 1's at the end. I removed the connection. Rebooted the machine and the internet connection was gone. However the ole32.dll error still continues.

Thanks once again


----------



## Rollin' Rog (Dec 9, 2000)

Boy that's a very old version of ole32.dll -- but I'm just not sure what the original WinME version number is. Did that file carry the Microsoft copyright?

Do you have cabinet files on the drive? They would be in either the location:

c:\windows\options\install

or

c:\windows\options\cabs

If you do, you can try running *msconfig* and selecting "extract one file".

Then extract ole32.dll to the location c:\windows\system

You can also extract from the installation CD, the cabinet files will be in the "win98" folder.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;129605#XSLTH4125121122120121120120

Also, it may be a bit of a side trip, but you might want to try updating Internet Explorer:

http://www.microsoft.com/downloads/...cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en


----------



## aarhus2004 (Jan 10, 2004)

WinME ole32.dll version 4.71.3328.0

That's on mine anyway. Modified: June 8, 2000, 5:00:00 PM


----------



## Rollin' Rog (Dec 9, 2000)

Thanks -- I thought there was something funky about that version. I don't think it's a Microsoft file at all -- but one that might have been substituted by a virus. I am puzzled as to why it was not replaced during the reinstall.

It is going to have to be replaced manually and re-registered.

>> any chance you could zip that file up for him and upload it as an attachment? He might have some issues getting it off the CD or cabinet files if he has them.

*edit*: Zeke, if you have HijackThis on the computer and can run it, select "Open the Misc Tools section". Put a check in "list also minor sections". Then select "generate StartupList" and post the startup list here.

If you are unable to do that, go to Start > Run: enter *sysedit* and copy/paste the contents of the autoexec.bat file here.


----------



## aarhus2004 (Jan 10, 2004)

Rollin' Rog said:


> >> any chance you could zip that file up for him and upload it as an attachment? He might have some issues getting it off the CD or cabinet files if he has them.


Roger, it is too large at 416KB.


----------



## zeke13 (Aug 3, 2004)

Sorry it took so long to continue this, I've been doing my Dad duties. I can locate the cab files, but I don't know how to extract the file. I can run the msconfig and click on the extract file button, but I don't know how to locate the correct file.

I ran the hijackthis request:

StartupList report, 11/17/2005, 3:39:40 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
SystemTray = SysTray.Exe
MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

^SetupICWDesktop = C:\PROGRA~1\INTERN~1\CONNEC~1\icwconn1.exe /desktop

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/11/2005, 15:37:50)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\OPH4JU~1.DLL (file missing) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Scan for Viruses.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://files.member.yahoo.com/dl/installs/sbc/yinst.cab

[YahooYMailTo Class]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

[PhotosCtrl Class]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\COMMON\YPHOTOS.DLL
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

[YAddBook Class]
InProcServer32 = C:\PROGRA~1\YAHOO!\COMMON\YADDBOOK.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL
OLE Module: C:\WINDOWS\SYSTEM\thn32.dll
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL

--------------------------------------------------
End of report, 6,418 bytes
Report generated in 0.236 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks again for all the patience,
Zeke


----------



## Rollin' Rog (Dec 9, 2000)

Ok, the startuplist does show entries from one or two prior trojan infections. I should have had you post a normal scanlog as well, so we will have to work from less than exact directions.

Run HijackThis and make a normal scanlog (not the startuplist).

>> Find the '02' entry that references this file:

C:\WINDOWS\SYSTEM\OPH4JU~1.DLL (file missing) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

... and put a check in it.

>> Find the 021 entry that references this file:

C:\WINDOWS\SYSTEM\thn32.dll

.. and put a check in that.

>> Now click "fix selected"
>> Run HijackThis again and verify that both those items are deleted.

Navigate to: C:\WINDOWS\SYSTEM\thn32.dll

and delete that file. If it is in use, reboot and do it. You can also try renaming it, if it is difficult to delete (thn32.bad)

We are probably still going to have to replace the c:\windows\system\ole32.dll.

You should not need to know the exact cabinet location of the file. When you use the extract tool, just try pointing it to the cabinet directory itself. For example c:\windows\options\cabs or c:\windows\options\install -- whichever you have.

Let me know if you have any problems with that. Aarhus has also offered to email it to you.

Post a regular HijackThis scanlog for the system when you return and let me know if the behavior has changed any.


----------



## zeke13 (Aug 3, 2004)

Hello,
I ran hijackthis and removed the 2 items. I could not locate the thn32.dll. I did the restore and then the machine forced a reboot on me. The file is still the old version. The ole32.dll continues. Do I need to supply an e-mail address for Aarhus?

Here is the normal hijackthis log after the fix:

Logfile of HijackThis v1.99.1
Scan saved at 5:36:15 PM, on 11/21/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [^SetupICWDesktop] C:\PROGRA~1\INTERN~1\CONNEC~1\icwconn1.exe /desktop
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\Q-3460718_DISK.DLL

Thanks again,
Zeke


----------



## Cheeseball81 (Mar 3, 2004)

We should really clean up that log....

You have no anti-virus protection.
Get *AVG* (it's free): http://free.grisoft.com/doc/1
Install it and run a scan.
_________________________________________________________________

Then download and run the following:

*Ad-Aware SE*: http://www.majorgeeks.com/download506.html

Install the program and launch it.
First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.
Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.
Then, deselect Search for negligible risk entries.
To start the scan, click the Next button.
When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next).

*SpyBot S&D*: http://www.majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). 
Click online, Search for updates, Download all available updates. 
Close all Browser windows, Click ''Check for Problems''. 
When the scan is finished let Spybot fix/remove all it finds marked in RED.

Reboot, post a new Hijack This log.


----------



## Rollin' Rog (Dec 9, 2000)

I'll leave the scanlog cleanup to Cheeseball81.

Can you extract ole32.dll again? This time do it to two places:

c:\windows\desktop

and

c:\windows\system


If you can't get the file to either of those locations, PM Arhus with your Email address.


----------



## zeke13 (Aug 3, 2004)

I started the machine in a normal startup mode. I was able to clean up the disk other than 1 virus. The machine starts up clean except for 1 error.

The virus is: c:\ied_s7m.cab\nnet.ext
trojan horse downloader

The error message is: c:\windows\system\kernels32.exe

Windows cannot find "c:\\windows\system\kernels32.exe'. You may have typed the name incorrectly in the Run dialog, or another program cannot find a system file.

Here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:55 PM, on 11/21/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\INET10079\SERVICES.EXE
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [find] C:\WINDOWS\SYSTEM\find.exe
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\stchost.exe
O4 - HKLM\..\Run: [gxcsv.exe] C:\WINDOWS\SYSTEM\gxcsv.exe
O4 - HKLM\..\Run: [Irshza] C:\PROGRAM FILES\NRZQE\BWDBXZ.EXE
O4 - HKLM\..\Run: [Syubdhjd] C:\PROGRAM FILES\KGMNA\ZJQAA.EXE
O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\SYSTEM\dflnl.exe
O4 - HKLM\..\Run: [crifx.exe] C:\WINDOWS\SYSTEM\crifx.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\WINSOCKS5.EXE
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\SYSTEM\SYSBHO.EXE
O4 - HKLM\..\Run: [dmmgm.exe] C:\WINDOWS\SYSTEM\dmmgm.exe
O4 - HKLM\..\Run: [csuug.exe] csuug.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\SYSTEM\yaemu.exe
O4 - HKLM\..\Run: [dmqiu.exe] C:\WINDOWS\SYSTEM\dmqiu.exe
O4 - HKLM\..\Run: [dmzgt.exe] C:\WINDOWS\SYSTEM\dmzgt.exe
O4 - HKLM\..\Run: [dmpes.exe] C:\WINDOWS\SYSTEM\dmpes.exe
O4 - HKLM\..\Run: [dmhxg.exe] C:\WINDOWS\SYSTEM\dmhxg.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [dmxqa.exe] C:\WINDOWS\SYSTEM\dmxqa.exe
O4 - HKLM\..\Run: [dmlok.exe] C:\WINDOWS\SYSTEM\dmlok.exe
O4 - HKLM\..\Run: [dmbdn.exe] C:\WINDOWS\SYSTEM\dmbdn.exe
O4 - HKLM\..\Run: [dmjdb.exe] C:\WINDOWS\SYSTEM\dmjdb.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Shell] Explorer.exe C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\KWL9L5CBWBSK.EXE
O4 - HKCU\..\Run: [Oximdajp] \qgwmby.exe
O4 - HKCU\..\Run: [Rtbo] C:\Program Files\taoi\bloa.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

Rolling Rog - I could restore the file to the desktop, but it will not let me replace the file in windows/system. The version of the dll on the desktop is:
4.71.3328.0

Thanks for all the help everyone


----------



## Rollin' Rog (Dec 9, 2000)

That scanlog shows a lot of malware, possibly now because you fully enabled all the startups in msconfig. I hope most of the files have already been deleted.

Check and fix ALL these items:

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\INET10079\SERVICES.EXE

O4 - HKLM\..\Run: [find] C:\WINDOWS\SYSTEM\find.exe
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\stchost.exe
O4 - HKLM\..\Run: [gxcsv.exe] C:\WINDOWS\SYSTEM\gxcsv.exe
O4 - HKLM\..\Run: [Irshza] C:\PROGRAM FILES\NRZQE\BWDBXZ.EXE
O4 - HKLM\..\Run: [Syubdhjd] C:\PROGRAM FILES\KGMNA\ZJQAA.EXE
O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\SYSTEM\dflnl.exe
O4 - HKLM\..\Run: [crifx.exe] C:\WINDOWS\SYSTEM\crifx.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\WINSOCKS5.EXE
O4 - HKLM\..\Run: [System Redirect] C:\WINDOWS\SYSTEM\SYSBHO.EXE
O4 - HKLM\..\Run: [dmmgm.exe] C:\WINDOWS\SYSTEM\dmmgm.exe
O4 - HKLM\..\Run: [csuug.exe] csuug.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\SYSTEM\yaemu.exe
O4 - HKLM\..\Run: [dmqiu.exe] C:\WINDOWS\SYSTEM\dmqiu.exe
O4 - HKLM\..\Run: [dmzgt.exe] C:\WINDOWS\SYSTEM\dmzgt.exe
O4 - HKLM\..\Run: [dmpes.exe] C:\WINDOWS\SYSTEM\dmpes.exe
O4 - HKLM\..\Run: [dmhxg.exe] C:\WINDOWS\SYSTEM\dmhxg.exe

O4 - HKLM\..\Run: [dmxqa.exe] C:\WINDOWS\SYSTEM\dmxqa.exe
O4 - HKLM\..\Run: [dmlok.exe] C:\WINDOWS\SYSTEM\dmlok.exe
O4 - HKLM\..\Run: [dmbdn.exe] C:\WINDOWS\SYSTEM\dmbdn.exe
O4 - HKLM\..\Run: [dmjdb.exe] C:\WINDOWS\SYSTEM\dmjdb.exe

O4 - HKLM\..\RunServices: [Shell] Explorer.exe C:\WINDOWS\SYSTEM\kernels32.exe

O4 - HKCU\..\Run: [romahere3] C:\WINDOWS\SYSTEM\KWL9L5CBWBSK.EXE
O4 - HKCU\..\Run: [Oximdajp] \qgwmby.exe
O4 - HKCU\..\Run: [Rtbo] C:\Program Files\taoi\bloa.exe

==================================================

You are going to have to use a WinME bootdisk in that case to restore the file from outside Windows using DOS.

I think you already have one, so I will not give instructions on the bootdisk unless you ask.

Use your boot disk to boot to an a: prompt (you can accept "minimal boot" if you are using a standard WinME bootdisk)

At the a: prompt type and enter:

*copy c:\windows\desktop\ole32.dll c:\windows\system*

You should get a prompt to overwrite the existing file. Accept that, then remove the boot disk and reboot.

==========================================

Post another Scanlog when ready.


----------



## zeke13 (Aug 3, 2004)

I copied the file and replaced the file, rebooted and the old version was still there. I removed the file in windows\system and then copied over the desktop version. When I rebooted the old version was still there.

Here is the current hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:39:25 AM, on 11/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\INET10079\SERVICES.EXE
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

Your help is greatly appreciated,
Zeke


----------



## Rollin' Rog (Dec 9, 2000)

Hard to know how that could have happnened unless something is actively changing things.

But I see you missed these two entries in the Scanlog, I believe I added them a couple of minutes after the others:

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\INET10079\SERVICES.EXE

The first is harmless and just affects search from the address bar.

The second is serious, especially if the file "services.exe" is present. I would imagine it is or you would get a boot up file missing error.

Restart in Safe Mode to fix those. While still in Safe mode delete the FOLDER:

c:\windows\*INET10079*

I'm sure it is malicious, but you can open it if you like to see what else is in there.

Repeat the procedure for copying the ole32.dll file to c:\windows\system.

If you get an "in use" or "access denied" message trying to do the copy from Safe Mode, you will need to use the bootdisk procedure.


----------



## Cheeseball81 (Mar 3, 2004)

I just wanna make sure all those bad files are gone.

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
*DO NOT* run it yet.

Boot into *Safe Mode* (start tapping the *F8* key at Startup, before the Windows logo screen)

Double-click on Killbox.exe to run it. 
Now put a tick by Standard File Kill. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file. 
Click Yes. 
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\INET10079\SERVICES.EXE
C:\WINDOWS\SYSTEM\find.exe
C:\WINDOWS\stchost.exe
C:\WINDOWS\SYSTEM\gxcsv.exe
C:\PROGRAM FILES\NRZQE\BWDBXZ.EXE
C:\PROGRAM FILES\KGMNA\ZJQAA.EXE
C:\WINDOWS\SYSTEM\dflnl.exe
C:\WINDOWS\SYSTEM\crifx.exe
C:\WINDOWS\WINSOCKS5.EXE
C:\WINDOWS\SYSTEM\SYSBHO.EXE
C:\WINDOWS\SYSTEM\dmmgm.exe
C:\WINDOWS\SYSTEM\csuug.exe
C:\WINDOWS\SYSTEM\yaemu.exe
C:\WINDOWS\SYSTEM\dmqiu.exe
C:\WINDOWS\SYSTEM\dmzgt.exe
C:\WINDOWS\SYSTEM\dmpes.exe
C:\WINDOWS\SYSTEM\dmhxg.exe
C:\WINDOWS\SYSTEM\dmxqa.exe
C:\WINDOWS\SYSTEM\dmlok.exe
C:\WINDOWS\SYSTEM\dmbdn.exe
C:\WINDOWS\SYSTEM\dmjdb.exe
C:\WINDOWS\SYSTEM\kernels32.exe
C:\WINDOWS\SYSTEM\KWL9L5CBWBSK.EXE
C:\WINDOWS\SYSTEM\qgwmby.exe
C:\Program Files\taoi\bloa.exe*

Note: It is possible that Killbox will tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the KillBox.

Find and delete these folders:

*C:\PROGRAM FILES\NRZQE
C:\PROGRAM FILES\KGMNA
C:\Program Files\taoi*

Empty the Recycle Bin.

Reboot.


----------



## zeke13 (Aug 3, 2004)

Cheeseball81 - I had already removed the files per Rollin' Rog's instructions. I did follow your instructions and none of the files existed.

Rollin' Rog - I was able to copy the file. The correct version (4.?) is now in the windows\system folder.

Anything else?

Thanks again!


----------



## Rollin' Rog (Dec 9, 2000)

If the correct version is now holding its own and you are not getting any startup errors -- you may be good to go. You can mark the thread "Solved" using the Thread Tools menu if that's the case.

However if you are still having issues, let us know exactly what still remains.

You're certainly welcome for the support.

I would strongly recommend you now update to IE 6 SP1 and ALSO install the cummulative update for it, as well as get any other updates available from Windows update.


----------

