# Help, I think I have a virus



## helena68uk (Jun 28, 2005)

I'll gladly make a donation if someone can help me fix this problem, my computer is running very slow and I keep geting annoying pop ups telling me my spyware is bad........... I've run a log from hijack this, can anyone help me?

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
c:\JET95\jshelper.exe
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\JET95\JETSTAT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\JET95\JSFMAN.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PSPCONTR.EXE
C:\PROGRAM FILES\INKLINE GLOBAL\PC BOOSTER\PCBOOSTER.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\OLYMPUS\DEVICEDETECTOR\DEVDTCT2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\IEWS.EXE
C:\WINDOWS\SYSTEM\SYSLB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SIMPLYZIP\SIMPLYZIP.EXE
C:\WINDOWS\DESKTOP\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vjrmz.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vjrmz.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {E8682374-CCCD-9E10-850F-FE93425C7397} - C:\WINDOWS\IPQG.DLL
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [PSGuard] C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Startup: Hays DX Address Plus.lnk = C:\Program Files\Hays DX Address Plus\APlus.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
O12 - Plugin for .BMP: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab


----------



## Cheeseball81 (Mar 3, 2004)

Hi helena68uk 

Has your system been restarted since you posted this Hijack log?

If so, please post a new one.

If not, let me know and I can proceed with instructions.


----------



## Tapeuup (Apr 6, 2005)

well helen, cheeseball's on it, looks like you'll be making a donation shortly!


----------



## Cheeseball81 (Mar 3, 2004)

Tapeuup said:


> well helen, cheeseball's on it, looks like you'll be making a donation shortly!


----------



## helena68uk (Jun 28, 2005)

Cheeseball81 said:


> Hi helena68uk
> 
> Has your system been restarted since you posted this Hijack log?
> 
> ...


No, the system hasn't been restarted since I posted, exactly the same. I daren't switch the machine off as last time I did that, the drivers disappeared!


----------



## Cheeseball81 (Mar 3, 2004)

There are 2 different infections we will be cleaning up. Both require different methods.

You cut off the top part of the log, so I will make a guess that you either have Windows 98 or ME.

* *Click here* to download smitRem.exe. 
Save the file to your desktop. 
It is a self extracting file.
Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop. 
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go *here* and download Ad-Aware SE.

Install the program and launch it.
First in the main window look in the bottom right corner and click on *Check for updates now*
Click *Connect* and download the latest reference files.
Do not run Adaware yet. Just download the updates and have it ready to run later in safe mode.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

* Open the *smitRem* folder, then double click the *RunThis.bat* file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Now launch Adaware:

From main window click *Start* then under *Select a scan Mode* tick *Perform full system scan*.
Next deselect *Search for negligible risk entries*.
Now to scan just click the *Next* button.
When the scan is finished mark everything for removal and get rid of it.
Right-click the window and choose *select all* from the drop down menu and click *Next*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Next go to Control Panel > Display. Click on the "Web" tab. Under "View my Active desktop as a web page" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. 
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## helena68uk (Jun 28, 2005)

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

You say put a check by these - these what? All of the entries???? None of the entries? Stuck already!


----------



## Cheeseball81 (Mar 3, 2004)

Ooops. I should have taken that out! My fault! Ignore that please.


----------



## helena68uk (Jun 28, 2005)

Cheeseball81 said:


> Ooops. I should have taken that out! My fault! Ignore that please.


Oh, ok! So, just to recap, I'm going to go into safe mode now, then straight to the smitrem folder section?


----------



## Cheeseball81 (Mar 3, 2004)

Yes


----------



## helena68uk (Jun 28, 2005)

Cheeseball81 said:


> Yes


OK, here goes!


----------



## Cheeseball81 (Mar 3, 2004)

:up:


----------



## helena68uk (Jun 28, 2005)

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*[/QUOTE]

Right, I got stuck at this point.......when I click on scan your pc for the ActiveScan, it won't open a new browser window


----------



## helena68uk (Jun 28, 2005)

LIke I said, I can't do the ActiveScan, but here's the results from my updated hijack log.........

Logfile of HijackThis v1.99.1
Scan saved at 18:02:31, on 10/11/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
c:\JET95\jshelper.exe
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\JET95\JETSTAT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\JET95\JSFMAN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PSPCONTR.EXE
C:\PROGRAM FILES\INKLINE GLOBAL\PC BOOSTER\PCBOOSTER.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\OLYMPUS\DEVICEDETECTOR\DEVDTCT2.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\IEWS.EXE
C:\WINDOWS\IEVJ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vjrmz.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vjrmz.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {E8682374-CCCD-9E10-850F-FE93425C7397} - C:\WINDOWS\IPQG.DLL
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [PSGuard] C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Startup: Hays DX Address Plus.lnk = C:\Program Files\Hays DX Address Plus\APlus.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
O12 - Plugin for .BMP: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab


----------



## Cheeseball81 (Mar 3, 2004)

Download* CW-Shredder* at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download '*SpSeHjfix*'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix 
unzip the file into that folder 
http://www.derbilk.de/SpSeHjfix109.zip

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

*Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.*

Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. 
To fix this, go into Control Panel>Internet Options>Programs & press Reset Web Settings, then you can set your home page to what you want on the General tab.


----------



## helena68uk (Jun 28, 2005)

Well, things are definitely better, but I still get a yellow balloon in the right hand corner of the screen which says something about bad spyware and to click on the download which then pops up, "CHMHelp.chm from searchclick.cc - ?????

Here's the most recent hijack log............

Logfile of HijackThis v1.99.1
Scan saved at 21:28:08, on 10/11/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
c:\JET95\jshelper.exe
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\JET95\JETSTAT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\JET95\JSFMAN.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PSPCONTR.EXE
C:\PROGRAM FILES\INKLINE GLOBAL\PC BOOSTER\PCBOOSTER.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\OLYMPUS\DEVICEDETECTOR\DEVDTCT2.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\IEWS.EXE
C:\WINDOWS\IEVJ.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SIMPLYZIP\SIMPLYZIP.EXE
C:\WINDOWS\DESKTOP\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eghpj.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eghpj.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {E8682374-CCCD-9E10-850F-FE93425C7397} - C:\WINDOWS\IPQG.DLL
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [PSGuard] C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Startup: Hays DX Address Plus.lnk = C:\Program Files\Hays DX Address Plus\APlus.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
O12 - Plugin for .BMP: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab


----------



## Cheeseball81 (Mar 3, 2004)

I'm getting instructions ready for you. Do not reboot 

Be back shortly.


----------



## Cheeseball81 (Mar 3, 2004)

** Please *disable Ad-Aware SE's AdWatch*, as it may hinder the removal of some entries.

To disable AdWatch:

Right-click the AW icon in the systray and select "Unload Ad-Watch" and also uncheck Load AdWatch at System Start and Automatic. 
When you have finished cleaning open Ad-Aware and click on the AdWatch button, then reverse the settings.

Now copy the contents of the quote box to Notepad. Go to File - Save As and name it Fix.reg (save as type: all files )



> REGEDIT4
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
> 
> ...


You will need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
*DO NOT * run it yet.

Click here: http://cwshredder.net/bin/CWSInstall.exe to download *CWSinstall.exe* to the desktop.

Click: http://www.majorgeeks.com/AboutBuster_d4289.html to download *AboutBuster* created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

Now go ahead and set your computer to show hidden files like so:

Open My Computer. 
Select the View menu and click Folder Options. 
Select the View Tab. 
In the Hidden files section select Show all files. 
Click OK.

After you have downloaded all the above tools, sign off the Internet and remain offline until this procedure is complete. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

Now, boot into *Safe Mode * (start tapping the *F8* key at Startup, before the Windows logo screen)

Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have its contents added to the registry.

Run Hijack This and put a check by these entries:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eghpj.dll/sp.html#93256

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\eghpj.dll/sp.html#93256

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E8682374-CCCD-9E10-850F-FE93425C7397} - C:\WINDOWS\IPQG.DLL

O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL (file missing)

O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\PROGRAM FILES\STARWARE\BIN\STARWARE.DLL (file missing)

O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain

O4 - HKLM\..\Run: [PSGuard] C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab*

Once youve checked all of the above entries, click the "Fix Checked" button.

Exit Hijack This.

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "*Full Path of File to Delete*" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "*Paste Full Path of File to Delete*" box.

*C:\WINDOWS\eghpj.dll

C:\WINDOWS\IPQG.DLL

C:\WINDOWS\SYSTEM\intel32.exe

C:\PROGRAM FILES\PSGUARD\PSGUARD.EXE*

*Note*: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure not to miss any.

Exit the Killbox.

Find and delete this folder: *C:\PROGRAM FILES\PSGUARD*

Also in safe mode navigate to the *C:\Windows\Temp* folder. 
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type *%temp%* in the Run box. 
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

Empty the Recycle Bin.

Next run *Aboutbuster*. Double click Aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Run *CWShredder*. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do its thing.

Now, restart back into Windows normally and do the following:

Go here and do an online virus scan: http://housecall.trendmicro.com/

Be sure and put a check in the box by "*Auto Clean*" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the *Hoster * from here:
www.funkytoad.com/download/hoster.zip 
Run Hoster and press *Restore Original Hosts*, OK, and Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here: http://www.spywareinfo.com/~merijn/winfiles.html
Download *SDHelper.dll*
Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

The file "*Control.exe*" may have been deleted. 
See if control.exe is present in C:\windows

If Control.exe isn't there, go here: http://www.richardthelionhearted.com/~merijn/winfiles.html#control
Download control.exe per the instructions at the site.

*IMPORTANT**!*: Please check your *ActiveX* security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here: http://www.jfitz.com/tips/ie_security_config.html

Reboot and post another HijackThis log please.


----------



## helena68uk (Jun 28, 2005)

OK< I followed the instructions correctly I think but the balloon still shows up, and now I have lost my internet homepeage and it remains on about: blank! Aargh, on the point of giving up........... here's a new hikack log:

Logfile of HijackThis v1.99.1
Scan saved at 22:23:29, on 10/11/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
c:\JET95\jshelper.exe
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\IEWS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\JET95\JETSTAT.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\JET95\JSFMAN.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PSPCONTR.EXE
C:\PROGRAM FILES\INKLINE GLOBAL\PC BOOSTER\PCBOOSTER.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\IEVJ.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\OLYMPUS\DEVICEDETECTOR\DEVDTCT2.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SIMPLYZIP\SIMPLYZIP.EXE
C:\WINDOWS\DESKTOP\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {E8682374-CCCD-9E10-850F-FE93425C7397} - C:\WINDOWS\IPQG.DLL (file missing)
O2 - BHO: Class - {70AE7FE9-95AE-267B-C988-230E652CD32F} - C:\WINDOWS\SYSTEM\JAVAAM32.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IEVJ.EXE] C:\WINDOWS\IEVJ.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [IEWS.EXE] C:\WINDOWS\SYSTEM\IEWS.EXE /s
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Startup: Hays DX Address Plus.lnk = C:\Program Files\Hays DX Address Plus\APlus.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.DLL
O12 - Plugin for .BMP: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab


----------



## Cheeseball81 (Mar 3, 2004)

The infection is still there. I see your IE is outdated too.

Repeat the steps from above, but when you get to Hijack This, these are the new fixes:

Run Hijack This and put a check by these entries:

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\roxgv.dll/sp.html#93256

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {E8682374-CCCD-9E10-850F-FE93425C7397} - C:\WINDOWS\IPQG.DLL (file missing)

O2 - BHO: Class - {70AE7FE9-95AE-267B-C988-230E652CD32F} - C:\WINDOWS\SYSTEM\JAVAAM32.DLL

O4 - HKLM\..\Run: [IEVJ.EXE] C:\WINDOWS\IEVJ.EXE

O4 - HKLM\..\RunServices: [IEWS.EXE] C:\WINDOWS\SYSTEM\IEWS.EXE /s*

Exit Hijack This.

These are the new things to use KillBox on:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\system\roxgv.dll

C:\WINDOWS\SYSTEM\JAVAAM32.DLL

C:\WINDOWS\IEVJ.EXE

C:\WINDOWS\SYSTEM\IEWS.EXE *

Repeat the rest of the steps above.

Post a new log.


----------



## Tapeuup (Apr 6, 2005)

Well, I see Cheese hung in there as always! helen did you donate as promised?


----------



## Cheeseball81 (Mar 3, 2004)




----------



## Tapeuup (Apr 6, 2005)

promises...promises


----------

