# Solved: Win98se problems galore



## jdwest (Jul 30, 2005)

Running Win98se.
While out of town on an extended business trip, my wife had to disable McAfee security software in order to load and access some college software for a class she is taking.
Lots of problems going on now with the system. 
I have run Ad-Aware SE Personal on the system several times now and it seems to be finding a large number of items wrong. After it runs and I use the Quarantine/Delete tool it just sits on that screen displaying a DELETING FILES script. Nothing seems to be happening and I have let it sit on this screen for an extended period thinking it might be taking awhile due to the sheer number of items found, but nothing seems to ever happen so the only way out of this screen is to shut Ad-Aware down.
I have also run SpyBot on the system and destroyed files it found.

Still seems to be some problems going on (popups, unidentified icons on the desktop, slow processing). Here's a copy of the Hijack This log I just ran:

Logfile of HijackThis v1.97.2
Scan saved at 3:13:01 AM, on 10/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
C:\WINDOWS\MK9805.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://140.99.106.182/tlp/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchv.com/1/
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL (file missing)
O2 - BHO: (no name) - {6D4F4180-ED56-11D7-8C06-00E029617463} - C:\WINDOWS\SYSTEM\VFPFODBC.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~2\TOOLBAR\PWRSWMDA.DLL (file missing)
O3 - Toolbar: WhyPPC - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe 
O4 - HKLM\..\Run: [CHotKey] mk9805.exe
O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe
O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\AT&T\REDCON\PROGRAMS\AutoUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\GpoWx2Xc.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\RunServices: [GuardDogEXE] "C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE" /SERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - HKCU\..\RunOnce: [DelayShred] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SHREDDER\SHRED32.EXE" /q C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\COMCAS~2.SH!
O4 - Startup: sb.hta
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WhyPPC (HKLM)
O9 - Extra 'Tools' menuitem: WhyPPC (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.5395138889

*Any help will be greatly appreciated!*


----------



## Hulk701 (Dec 5, 2003)

Questions:

1) Was the computer okay before your wife went out of town?
2) What exactlly did you wife do to the computer just before she left? Disable Mcafee Security?
3) Have you tried uninstalling McAfee Security and then running Adaware? Maybe they're in conflict with each other.
4) Was the 'college software' student software? Was it things like term papers that might have had bugs or viruses on it? That could be your problem right there....

I personally would never use McAfee Security or McAfee Antivirus. It just plain doesn't work. Too many bells and whistles and not enough bang. I used McAfee 8 antivirus. I had it for 4 days before I got rid of it. Tech Support was non-existent and it took up 4x as many resources as Norton AV.

I've also had programs with Spybot. My computer would only boot into Safe Mode two days after installing it. I haven't installed it since.

That's just my opinion. I'm sure you can find other people who say McAfee is Great and Spybot is super...

Good Luck,
HULK!


----------



## blues_harp28 (Jan 9, 2005)

Hi..Run two online Virus Scans..Double check McAfee...
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/
See if that helps..Run latest HJT log..V1 99.1...link below..
Log experts will read your log and help...


----------



## flavallee (May 12, 2002)

Don't use *anything* from McAfee or Norton in that computer.  :down:

--------------------------------------------------------------

That is one massive startup list. 

Other than

*ScanRegistry
SystemTray
Antivirus program entries
Firewall program entries*

very few other programs need to load during startup and run in the background. :down:

----------------------------------------------------------------

These entries look suspicious to me: 

*O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\GpoWx2Xc.exe

O4 - Startup: sb.hta

O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck*

but someone else will have to confirm that.

----------------------------------------------------------------

These entries are Xupiter-related "nasties": 

*O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe*

----------------------------------------------------------------

This entry appears to be a trojan virus: 

*O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE*

---------------------------------------------------------------

You using a very old version of HijackThis(1.97.2). You need to replace it with version 1.99.1.

---------------------------------------------------------------

Click Start - Find - Files And Folders, select the hard drive ( C: ) to look in, then delete *everything* that appears under:

**.tmp

c:\temp\*.*

c:\windows\temp\*.**

If a warning appears about a program not working if you delete these files, ignore the warning. It's all junk, so get rid of it.

----------------------------------------------------------------


----------



## MFDnNC (Sep 7, 2004)

[[email protected]] Peper infection

Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Run the peper fix - Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.


----------



## flavallee (May 12, 2002)

MFDnSC:

Thanks for jumping in to assist. I'm getting groggy-eyed with jumping back and forth in that log.


----------



## Flrman1 (Jul 26, 2002)

Also you are using a very old version of Hijack This.

Get rid of the old one and *Click here* to download the new one, come back here and post the log from it.


----------



## jdwest (Jul 30, 2005)

First, THANKS for everyones input!!
Went through the posts and tried to knock out everything listed. Not sure on what needs to be marked on HijackThis to clean up the Startup situation noted. Cleaned out the Temp folders as noted. Used Housecall mentioned in one of the first replies and it seemed to knock out a few things that Flavallee's reply mentioned to delete. Did not see the Xupiter and Rundll16 items in there. Used Spykiller site to run the download for the Peper trojan infection. What is the next step??

Here the latest HijackThis log using the new version of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:40:03 PM, on 7/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\ETB\POKAPOKA62.EXE
C:\WINDOWS\SYSTEM\QOSSN1.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\PUBIAGN.EXE
C:\PROGRAM FILES\TBAS\BHAR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\BRRLPZP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\CALC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [lscuhc] C:\WINDOWS\SYSTEM\lscuhc.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\ETB\POKAPOKA62.EXE
O4 - HKLM\..\Run: [om2Q36R] QOSSN1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [ZDt4RWdni] PUBIAGN.EXE
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {55E9B640-D33E-11D4-8C04-00E029617463} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574ab33614/netzip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL


----------



## Flrman1 (Jul 26, 2002)

* Go *here* to download CCleaner.
Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button. 
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours". 
Click OK
Do not run CCleaner yet. You will run it later in safe mode.

* *Click Here* and download Killbox and save it to your desktop.

* *Click here* to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. *Do Not* run it yet.

* *Click here* to download elitebarfix.zip. Download it and save it to your desktop. 
Unzip the file to extract the elitebarfix.bat file it contains and have it ready to run later in safe mode.

* *Click here* for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Go to Add/Remove programs and uninstall these if present:

*Surfsidekick 3
Help Express
Alset*

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe

O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [lscuhc] C:\WINDOWS\SYSTEM\lscuhc.exe

O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe

O4 - HKLM\..\Run: [System service62] C:\WINDOWS\ETB\POKAPOKA62.EXE

O4 - HKLM\..\Run: [om2Q36R] QOSSN1.EXE

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE

O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

O4 - HKCU\..\Run: [ZDt4RWdni] PUBIAGN.EXE

O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {55E9B640-D33E-11D4-8C04-00E029617463} - (no file) (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574a...ip/RdxIE601.cab

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...bridge-c420.cab

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\PROGRAM FILES\CAS\CLIENT\CASMF.DLL*

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*c:\windows\system\brrlpzp.exe

C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

C:\WINDOWS\dinst.exe

C:\WINDOWS\SYSTEM\lscuhc.exe

C:\WINDOWS\etb\pokapoka62.exe

C:\WINDOWS\SYSTEM\QOSSN1.EXE

C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

C:\Program Files\Cas\Client\casclient.exe

C:\WINDOWS\SYSTEM\PUBIAGN.EXE

C:\WINDOWS\RUNDLL16.EXE

C:\Windows\Start Menu\Programs\Startup\sb.hta

C:\Program Files\tbas\bhar.exe*

*Note:* It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

* Delete these folders:

C:\PROGRAM FILES\*SURFSIDEKICK 3*
C:\Program Files\*tbas*
C:\Program Files\*Alset*
C:\Program Files\*Cas*
C:\WINDOWS\*ETB*
C:\Program Files\*Orbit*

* Doubleclick on the *elitebarfix.bat* file to run it.

* Run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

* Start Ccleaner and click *Run Cleaner*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## jdwest (Jul 30, 2005)

Flrman1,
Wanting to make sure that I follow your instructions to the "T". Downloaded CCleaner and launched it, but there is not an "Options" button in the upper right corner of the screen. Here is a screen shot of the CCleaner window:

Where else can I find the "Only delete files in Windows temp folders older than 48 hours" option to remove the checkmark??


----------



## flavallee (May 12, 2002)

jdwest:

You've jumped the gun with the startup list and you've disabled some crucial entries that need to remain checked and enabled. Go back into the MSCONFIG "Startup" tab and recheck and enable *everything* in there, reboot, run another HijackThis scan, then post the log here. You really don't want to uncheck and disable any entries while we're dealing with your problems, unless we advise you otherwise.


----------



## jdwest (Jul 30, 2005)

A little confused right now.
Flavallee, should I finish up with list of things that Flrman1 has in the post prior to your last one or should I do this MSCONFIG startup tab item first??
Sorry about "jumping the gun" on deleting some things! I'll await a response from you or Flrman1 before proceeding any further.
Thanks!


----------



## Flrman1 (Jul 26, 2002)

Go ahead with my directions. I went back and included the files that were in your first log to be deleted. After you have completed my instructions you can enable those in msconfig and we can remove the leftover Run entries.

I need to update my directions for Ccleaner. The options buttion is in the left column now below Tools.


----------



## flavallee (May 12, 2002)

Go ahead and finish with Flrman1's instructions.

I was mainly concerned in having you get *ScanRegistry* and *SystemTray* rechecked and enabled. Those 2 and your antivirus and firewall programs should always remained checked and enabled.

I should've made it clear to you earlier not to mess around with the startup list until we advised you to. Sorry!


----------



## jdwest (Jul 30, 2005)

Flrman1,
Copy of the ActiveScan report is attached:

Here's the latest HijackThis report:
Logfile of HijackThis v1.99.1
Scan saved at 4:16:09 AM, on 7/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\QOSVOX.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\TBAS\BHAR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\BRRLPZP.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [om2Q36R] QOSVOX.EXE
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

Ready for the next step!

Question: With the consensus seeming to be that Mcafee is not very good and it is not loaded at this time, what would you recommend buying or downloading for protection??


----------



## flavallee (May 12, 2002)

Grisoft AVG Free Edition 7.0 is the most recommended one, if you want one for free.

I use Computer Associates ETrust EZ Antivirus 2005, but it's not free.


----------



## Flrman1 (Jul 26, 2002)

Well it looks like your problems are bigger than we thought at first. I'm certain at this point that you have an L2M/VX2 infection which is going to take a bit of time to remove. If I am correct and you do have l2m, there will be quite a few files we will have to delete in DOS so we need to create a boot disk first.

Follow the directions here to create a Boot disk:

http://www.microsoft.com/windows98/usingwindows/maintaining/tips/beginner/Bootdisk.asp

*Note:* It says to use a 1.2mb disk, but a 1.44mb disk will work.

Also run the following programs and post the resulting logs:

*Click Here* and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the *Click to Find VX2.Betterinternet* button. It will display the files, and User Agent string. Now click the *Make Log* button. It will open the log in notepad. Copy and paste that log here.

Also *Click here* to download DLLCompare.exe.

Save it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the *Compare* button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the *Make a Log of what was Found* button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

*Click here* to download FindIt9xME.zip. Unzip it to your desktop.

Doubleclick on the find.bat file and let it run. It may take as long as ten minutes to run. When it is finished it will produce an output.txt file. Copy and paste the contents of output.txt here please.


----------



## jdwest (Jul 30, 2005)

Flrman1,
Here's the VX2.Betterinternet log:
Log for VX2.BetterInternet File Finder

Files Found---

User Agent String---
{CBE3B6C9-0D81-7A9E-14C5-030A8AA21040}​
Here's the DllCompare log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\twapi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dumigr.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\muimrt.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\pspndi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\iistapi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\oqe32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dwcprop.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\hzfimg15.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\iustsch.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\tipelib.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mfvcp50.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\aflddial.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\edhsig.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\crm.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\hnfmrl15.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mmab32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\iistsch.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\aufaxp32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mpidle.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\aedevl16.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mhcoleui.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\majt3032.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\kpuser.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dl16gt.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\lncmgr10.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\sknscfg.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mepi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mgyuv.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\wisdmod.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
________________________________________________

920 items found: 920 files (29 H/S), 0 directories.
Total of file sizes: 200,607,121 bytes 191.31 M

--------------------End log---------------------

The FindIt9xME log is attached


----------



## Flrman1 (Jul 26, 2002)

I know I asked you to make the boot disk to delete these files and we may yet have to do so, but I just want to try this to see if by chance or fluke that the VX2Finder will delete those files for us and save some trouble. It's worth a try to see if it will.

Close *ALL* running programs and windows except VX2Finder. Sign off and stay off the internet until the entire procedure is complete.

Run VX2Finder and check off all those files found and click the *Delete these Files* button.
(for as many as you have)

Next click the *UserAgent$* button (to remove that reg value)

Then click the *Import.reg* (to repair QuickLaunch Toolbar)

Finally click the *Restore Desktop* ...to restore the desktop (Explorer.exe will end while doing this fix)

*Restart your computer*

Download the Hoster from *here* . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Run VX2 Finder and post another log from it and Hijack This.


----------



## jdwest (Jul 30, 2005)

Flrman1,
When I ran VX2Finder it did not find any files to do the "Delete these files" step. Did I possibly do something wrong on running that?? I opened the VX2 Finder .exe and then clicked on "Click to Find VX2.BetterInternet".

Here's the VX2 log:
Log for VX2.BetterInternet File Finder

Files Found---

User Agent String---
{CBE3B6C9-0D81-7A9E-14C5-030A8AA21040}

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:24:39 PM, on 7/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\QOSVOX.EXE
C:\WINDOWS\SYSTEM\BRRLPZP.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\MOBUST.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\MOBUST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\VX2FINDER9X.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [om2Q36R] QOSVOX.EXE
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab


----------



## Flrman1 (Jul 26, 2002)

I made a mistake. I just reviewed the post you made with the VX2finder ETC..and I see now that I misread it. I thought that vx2finder had identified the vx2 files in it's log, but I see now that it did not so there were no files in it for you to have it delete according to my last instructions. My bad. 

We are going to have to delete the files in DOS so Run dllCompare and find.bat again and post those logs again please. I want to be sure nothing has changed before I give you directions.


----------



## jdwest (Jul 30, 2005)

Flrman1,

Here's the DllCompare log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\twapi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dumigr.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\muimrt.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\pspndi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\iistapi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\oqe32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dwcprop.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\hzfimg15.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\iustsch.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\tipelib.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mfvcp50.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\uver32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\aflddial.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\edhsig.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\crm.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\hnfmrl15.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mmab32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\iistsch.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\recltc5.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mviqtz32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\aufaxp32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mpidle.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\aedevl16.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mhcoleui.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\majt3032.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\kpuser.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\dl16gt.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\lncmgr10.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\sknscfg.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mepi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\mgyuv.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
C:\WINDOWS\SYSTEM\wisdmod.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
________________________________________________

923 items found: 923 files (32 H/S), 0 directories.
Total of file sizes: 201,823,633 bytes 192.47 M

--------------------End log---------------------

Here's the FindIt9xME log:
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System Directory -------

Volume in drive C is POWERSPEC 
Volume Serial Number is 1E47-17DB
Directory of C:\WINDOWS\SYSTEM

BHAR EXE 82,432 08-01-05 9:57a bhar.exe
TWAPI DLL 405,504 07-26-05 9:05p TWAPI.DLL
DUMIGR DLL 405,504 07-26-05 9:05p DUMIGR.DLL
MUIMRT DLL 405,504 07-26-05 9:05p MUIMRT.DLL
PSPNDI DLL 405,504 07-26-05 9:05p PSPNDI.DLL
IISTAPI DLL 405,504 07-26-05 9:05p IISTAPI.DLL
OQE32 DLL 405,504 07-26-05 9:05p OQE32.DLL
DWCPROP DLL 405,504 07-26-05 9:05p DWCPROP.DLL
HZFIMG15 DLL 405,504 07-26-05 9:05p HZFimg15.dll
IUSTSCH DLL 405,504 07-26-05 9:05p IUSTSCH.DLL
TIPELIB DLL 405,504 07-26-05 9:05p TIPELIB.DLL
MFVCP50 DLL 405,504 07-26-05 9:05p MFVCP50.DLL
UVER32 DLL 405,504 07-26-05 9:05p UVER32.DLL
AFLDDIAL DLL 405,504 07-26-05 9:05p aflddial.dll
EDHSIG DLL 405,504 07-26-05 9:05p edhsig.dll
CRM DLL 405,504 07-26-05 9:05p CRM.DLL
HNFMRL15 DLL 405,504 07-26-05 9:05p HNFmrl15.dll
MMAB32 DLL 405,504 07-26-05 9:05p MMAB32.DLL
IISTSCH DLL 405,504 07-26-05 9:05p IISTSCH.DLL
RECLTC5 DLL 405,504 07-26-05 9:05p RECLTC5.DLL
MVIQTZ32 DLL 405,504 07-26-05 9:05p MVIQTZ32.DLL
AUFAXP32 DLL 405,504 07-26-05 9:05p AUFAXP32.DLL
MPIDLE DLL 405,504 07-26-05 9:05p MPIDLE.DLL
AEDEVL16 DLL 405,504 07-26-05 9:05p AEDEVL16.DLL
MHCOLEUI DLL 405,504 07-26-05 9:05p MHCOLEUI.DLL
MAJT3032 DLL 405,504 07-26-05 9:05p MAJT3032.DLL
KPUSER DLL 405,504 07-26-05 9:05p KPUSER.DLL
DL16GT DLL 405,504 07-26-05 9:05p DL16GT.DLL
LNCMGR10 DLL 405,504 07-26-05 9:05p lncmgr10.dll
SKNSCFG DLL 405,504 07-26-05 9:05p sknscfg.dll
MEPI DLL 405,504 07-26-05 9:05p MEPI.DLL
MGYUV DLL 405,504 07-26-05 9:05p mgyuv.dll
WISDMOD DLL 405,504 07-26-05 9:05p wisdmod.dll
33 file(s) 13,058,560 bytes
0 dir(s) 7,489.05 MB free

------- Hidden Files in System Directory -------

Volume in drive C is POWERSPEC 
Volume Serial Number is 1E47-17DB
Directory of C:\WINDOWS\SYSTEM

BHAR EXE 82,432 08-01-05 9:57a bhar.exe
VIDCTRL 07-27-05 12:52a vidctrl
NSVSVC 07-27-05 12:52a nsvsvc
VX3X NLS 8,192 07-26-05 9:12p VX3X.NLS
VX3 NLS 8,192 07-26-05 9:12p VX3.NLS
VX2 NLS 8,192 07-26-05 9:12p VX2.NLS
VX2X NLS 8,192 07-26-05 9:12p VX2X.NLS
HPF89T15 GID 8,628 05-07-04 2:52p HPF89t15.GID
FOLDER HTT 13,122 01-10-00 10:40a folder.htt
DESKTOP INI 266 01-10-00 10:40a desktop.ini
8 file(s) 137,216 bytes
2 dir(s) 7,489.03 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CBE3B6C9-0D81-7A9E-14C5-030A8AA21040}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
twapi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
dumigr.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
muimrt.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
pspndi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
iistapi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
oqe32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
dwcprop.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
hzfimg15.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
iustsch.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
tipelib.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
mfvcp50.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
uver32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
aflddial.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
edhsig.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
crm.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
hnfmrl15.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
vx2.nls Tue Jul 26 2005 9:12:28p ...HR 8,192 8.00 K
mmab32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
iistsch.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
recltc5.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
mviqtz32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
bhar.exe Mon Aug 1 2005 9:57:54a ..SHR 82,432 80.50 K
aufaxp32.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
mpidle.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
vx2x.nls Tue Jul 26 2005 9:12:28p ...HR 8,192 8.00 K
vx3x.nls Tue Jul 26 2005 9:12:36p ...HR 8,192 8.00 K
vx3.nls Tue Jul 26 2005 9:12:36p ...HR 8,192 8.00 K
aedevl16.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
mhcoleui.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
majt3032.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
kpuser.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
dl16gt.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
lncmgr10.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
sknscfg.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
mepi.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
mgyuv.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K
wisdmod.dll Tue Jul 26 2005 9:05:26p ..S.R 405,504 396.00 K

37 items found: 37 files, 0 directories.
Total of file sizes: 13,091,328 bytes 12.48 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.P
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.N
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.I
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.H
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.P
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.N
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.I
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.H
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.E
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.D
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\shop1004.exe: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results ------------- 
C:\WINDOWS\SYSTEM\TWAPI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\TWAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\TWAPI.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\DUMIGR.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\DUMIGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DUMIGR.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MUIMRT.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MUIMRT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUIMRT.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\PSPNDI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\PSPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\PSPNDI.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\PXPNDI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\PXPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\PXPNDI.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\IISTAPI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\IISTAPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\IISTAPI.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\OQE32.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\OQE32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OQE32.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\DWCPROP.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\DWCPROP.DLL: UMonitor
C:\WINDOWS\SYSTEM\DWCPROP.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\HZFimg15.dll: InitUMonitor
C:\WINDOWS\SYSTEM\HZFimg15.dll: UMonitor
C:\WINDOWS\SYSTEM\HZFimg15.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\IUSTSCH.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\IUSTSCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\IUSTSCH.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\TIPELIB.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\TIPELIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\TIPELIB.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MFVCP50.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MFVCP50.DLL: UMonitor
C:\WINDOWS\SYSTEM\MFVCP50.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\UVER32.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\UVER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\UVER32.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\aflddial.dll: InitUMonitor
C:\WINDOWS\SYSTEM\aflddial.dll: UMonitor
C:\WINDOWS\SYSTEM\aflddial.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\edhsig.dll: InitUMonitor
C:\WINDOWS\SYSTEM\edhsig.dll: UMonitor
C:\WINDOWS\SYSTEM\edhsig.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\CRM.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\CRM.DLL: UMonitor
C:\WINDOWS\SYSTEM\CRM.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\HNFmrl15.dll: InitUMonitor
C:\WINDOWS\SYSTEM\HNFmrl15.dll: UMonitor
C:\WINDOWS\SYSTEM\HNFmrl15.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MMAB32.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MMAB32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MMAB32.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\IISTSCH.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\IISTSCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\IISTSCH.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\RECLTC5.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\RECLTC5.DLL: UMonitor
C:\WINDOWS\SYSTEM\RECLTC5.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MVIQTZ32.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MVIQTZ32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MVIQTZ32.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\AUFAXP32.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\AUFAXP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\AUFAXP32.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MPIDLE.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MPIDLE.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPIDLE.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\AEDEVL16.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\AEDEVL16.DLL: UMonitor
C:\WINDOWS\SYSTEM\AEDEVL16.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MHCOLEUI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MHCOLEUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MHCOLEUI.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MAJT3032.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MAJT3032.DLL: UMonitor
C:\WINDOWS\SYSTEM\MAJT3032.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\KPUSER.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\KPUSER.DLL: UMonitor
C:\WINDOWS\SYSTEM\KPUSER.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\DL16GT.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\DL16GT.DLL: UMonitor
C:\WINDOWS\SYSTEM\DL16GT.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\lncmgr10.dll: InitUMonitor
C:\WINDOWS\SYSTEM\lncmgr10.dll: UMonitor
C:\WINDOWS\SYSTEM\lncmgr10.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\sknscfg.dll: InitUMonitor
C:\WINDOWS\SYSTEM\sknscfg.dll: UMonitor
C:\WINDOWS\SYSTEM\sknscfg.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\MEPI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\MEPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEPI.DLL: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\mgyuv.dll: InitUMonitor
C:\WINDOWS\SYSTEM\mgyuv.dll: UMonitor
C:\WINDOWS\SYSTEM\mgyuv.dll: /cgi-bin/UMonitorV2
C:\WINDOWS\SYSTEM\wisdmod.dll: InitUMonitor
C:\WINDOWS\SYSTEM\wisdmod.dll: UMonitor
C:\WINDOWS\SYSTEM\wisdmod.dll: /cgi-bin/UMonitorV2

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoUpdater"="\"c:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""
"om2Q36R"="QOSVOX.EXE"
"brrlpzp"="c:\\windows\\system\\brrlpzp.exe"
"Dinst"="C:\\WINDOWS\\dinst.exe"


----------



## Flrman1 (Jul 26, 2002)

* I am attaching a delete.zip file to this post. Download it and save it to your desktop. 
Unzip the delete.zip file to extract the delete.bat file to C:\. After extracting to C:, you should have a C:\delete.bat file sitting seperately on C:. Make sure that you *do not* have it extracted to a C:\delete folder. You will be running the bat file from dos and it will not work if the file is not where it should be.

* Put the boot floppy in the floppy drive and restart your computer. As it boots to the floppy, it will ask you if you want to start with CD Rom support. It doesn't matter if you do or don't. Hit Enter. When you get to the *A:\>* Prompt type:

*C:*

Hit enter.

At the C:\> prompt type the following command:

*delete.bat*

Let the batch file run.

* After the batch has run, remove the boot disk from the drive and hit the Ctrl + Alt + Del keys simultaneously to reboot.

* One you are back in Windows, Do the follwing:

*Run VX2Finder. Click on the "Click to Find VX2.Betterinternet" button then Click the "User Agent" button.

*Now restart your computer.*

* Download the Hoster from *here* . UnZip the file and press "Restore Original Hosts" and press "OK". Exit the Hoster.

* Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. Copy that log then, hit any key to close find.bat. Post the contents of the new output.txt file here along with a new Hijack This log and a new log from DLLCompare.


----------



## jdwest (Jul 30, 2005)

Flrman1,
Quick question before doing these latest steps. Will this in any way effect anything saved in My Documents (photos, Word docs, Excel docs, etc.)??
Do I need to do a backup before completing these steps??
Thanks!


----------



## Flrman1 (Jul 26, 2002)

It won't affect any of that.


----------



## jdwest (Jul 30, 2005)

Flrman1,
Here's the FindIt9xME output log:
Warning! This utility will find legitimate files in addition to malware. 
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C is POWERSPEC 
Volume Serial Number is 1E47-17DB
Directory of C:\WINDOWS\SYSTEM

BHAR EXE 82,432 08-01-05 9:27p bhar.exe
1 file(s) 82,432 bytes
0 dir(s) 7,483.92 MB free

------- Hidden Files in System Directory -------

Volume in drive C is POWERSPEC 
Volume Serial Number is 1E47-17DB
Directory of C:\WINDOWS\SYSTEM

BHAR EXE 82,432 08-01-05 9:27p bhar.exe
VIDCTRL 07-27-05 12:52a vidctrl
NSVSVC 07-27-05 12:52a nsvsvc
VX3X NLS 8,192 07-26-05 9:12p VX3X.NLS
VX3 NLS 8,192 07-26-05 9:12p VX3.NLS
VX2 NLS 8,192 07-26-05 9:12p VX2.NLS
VX2X NLS 8,192 07-26-05 9:12p VX2X.NLS
HPF89T15 GID 8,628 05-07-04 2:52p HPF89t15.GID
FOLDER HTT 13,122 01-10-00 10:40a folder.htt
DESKTOP INI 266 01-10-00 10:40a desktop.ini
8 file(s) 137,216 bytes
2 dir(s) 7,483.91 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vx2.nls Tue Jul 26 2005 9:12:28p ...HR 8,192 8.00 K
bhar.exe Mon Aug 1 2005 9:27:44p ..SHR 82,432 80.50 K
vx2x.nls Tue Jul 26 2005 9:12:28p ...HR 8,192 8.00 K
vx3x.nls Tue Jul 26 2005 9:12:36p ...HR 8,192 8.00 K
vx3.nls Tue Jul 26 2005 9:12:36p ...HR 8,192 8.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 115,200 bytes 112.50 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.P
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.N
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.I
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.H
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.E
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.D
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.751: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.P
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.N
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.I
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.H
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.E
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.D
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.751: TROJ_QOOLOGIC.A

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\shop1004.exe: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results ------------- 
C:\WINDOWS\SYSTEM\PXPNDI.DLL: InitUMonitor
C:\WINDOWS\SYSTEM\PXPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\PXPNDI.DLL: /cgi-bin/UMonitorV2

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoUpdater"="\"c:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""
"om2Q36R"="QOSVOX.EXE"
"brrlpzp"="c:\\windows\\system\\brrlpzp.exe"
"Dinst"="C:\\WINDOWS\\dinst.exe"

Here's the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:46:54 PM, on 8/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\QOSVOX.EXE
C:\WINDOWS\SYSTEM\BRRLPZP.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\WINDOWS\SYSTEM\MOBUST.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\MOBUST.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [om2Q36R] QOSVOX.EXE
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

Here's the DllCompare log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

891 items found: 891 files, 0 directories.
Total of file sizes: 188,847,505 bytes 180.10 M

--------------------End log---------------------


----------



## Flrman1 (Jul 26, 2002)

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\DSR.DLL

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [om2Q36R] QOSVOX.EXE

O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe

O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe*

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\SYSTEM\QOSVOX.EXE

C:\WINDOWS\SYSTEM\BRRLPZP.EXE

C:\WINDOWS\SYSTEM\MOBUST.EXE

C:\WINDOWS\dinst.exe*

Exit Killbox.

* Delete these folders:

C:\PROGRAM FILES\*AUTOUPDATE*
C:\Program Files\*tbas*
C:\Program Files\*eZula*
C:\Program Files\*Web Offer*

* Start Ccleaner and click *Run Cleaner*

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Go url=http://free.grisoft.com/doc/2/lng/us/tpl/v5]*here*[/url] and download AVG free edition. Install it, update the virus definitions and do a full system scan.

* Go *here* and download Ad-Aware SE.

Install the program and launch it.
First in the main window look in the bottom right corner and click on *Check for updates now*
Click *Connect* and download the latest reference files.
From main window click *Start* then under *Select a scan Mode* tick *Perform full system scan*.
Next deselect *Search for negligible risk entries*.
Now to scan just click the *Next* button.
When the scan is finished mark everything for removal and get rid of it.
Right-click the window and choose *select all* from the drop down menu and click *Next*
*Restart your computer*.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## jdwest (Jul 30, 2005)

Flrman1,
Ran into a little snag toward the end of the instructions.
When I did the step for loading the AVG Bootup Scanner, it stopped while loading, before getting into the application where I could update the virus definitions. The screen that came up states:
AVG Boot-up Scanner has detected a virus:
C:\KEENVA~1.EXE Trojan horse Downloader.Generic.AQQ

We recommend you restart your computer using an operating system from a virus-free system diskette or CD-ROM, then use the AVG Rescue Disk and remove the virus by healing.
Please select one of the following options:
(R)eboot and Restart System From Virus-Free Diskette
(C)ontinue at Your Own Risk​
Do I choose (C) to continue on with the remainder of your instructions or is there something else that needs to be done on this??
Thanks


----------



## Flrman1 (Jul 26, 2002)

Choose (C) to continue.


----------



## jdwest (Jul 30, 2005)

Flrman1,

The ActiveScan results are attached:

Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:14:57 PM, on 8/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TBAS\BHAR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab


----------



## guevara (Aug 2, 2005)

why not use WinXP or other advance operation system?


----------



## Flrman1 (Jul 26, 2002)

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

*O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe

O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe

O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe*

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\SYSTEM\BRRLPZP.EXE

C:\WINDOWS\SYSTEM\MOBUST.EXE

C:\Program Files\tbas\bhar.exe

C:\WINDOWS\SYSTEM\Popular Screensavers.scr

C:\WINDOWS\SYSTEM\SHAgentNew.dll

C:\WINDOWS\SYSTEM\HookPopup.dll

C:\WINDOWS\SYSTEM\javex80.vxd

C:\WINDOWS\SYSTEM\SWLAD2.dll

C:\WINDOWS\TEMP\!update.exe

C:\WINDOWS\DOWNLOADED PROGRAM FILES\VBouncerOuter1402030731.exe

C:\WINDOWS\DOWNLOADED PROGRAM FILES\ActiveX.ocx

C:\WINDOWS\APPLICATION DATA\Sskknwrd.dll

C:\WINDOWS\INF\BIINI.INF

C:\WINDOWS\DESKTOP\Free Plasma TV.lnk

C:\WINDOWS\cfgmgr52.ini

C:\WINDOWS\SYSTEM\UpdInst.exe

C:\WINDOWS\SYSTEM\PXPNDI.DLL

C:\WINDOWS\SYSTEM\bhar.exe

C:\WINDOWS\SYSTEM\Ljlsga.exe

C:\WINDOWS\SYSTEM\Ezhrkf.exe

C:\WINDOWS\SYSTEM\HookPopup.dll

C:\WINDOWS\SYSTEM\6f97uorh.dll

C:\WINDOWS\SYSTEM\m80s9kj1.exe

C:\WINDOWS\SYSTEM\javex80.vxd

C:\WINDOWS\SYSTEM\psis80ex.ax

C:\WINDOWS\SYSTEM\SWLAD2.dll

C:\WINDOWS\SYSTEM\PopOops.dll

C:\WINDOWS\SYSTEM\Shex.exe

C:\WINDOWS\SYSTEM\lscuhf.exe

C:\WINDOWS\INF\banner.inf

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\VBouncerOuter1402030731.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\VBouncerOuter1402030731.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\VBouncerOuter1402030731.exe

C:\WINDOWS\Downloaded Program Files\VBouncerOuter1402030731.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\VBouncerOuter1402030731.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\VBouncerOuter1402030731.exe

C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf

C:\WINDOWS\Downloaded Program Files\setup4002b.ini

C:\WINDOWS\Installer\bfd249.msi

C:\WINDOWS\u2u3jki7.exe

C:\WINDOWS\ru.exe

C:\WINDOWS\nuorjhsk.exe

C:\Program Files\Common Files\SYSTEM\Mapi\1033\95\ezStub.exe

C:\My Documents\My Music\Virtual Albums\video\video.asx

C:\install-tag001.exe

C:\install_beakan01.exe*

Exit Killbox.

* Delete these folders:

C:\PROGRAM FILES\*MEDIA*
C:\PROGRAM FILES\*SurfAccuracy*
C:\PROGRAM FILES\*Search Toolbar* 
C:\Program Files\*FunWebProducts*
C:\Program Files\*TopConverting*
C:\Program Files\*tbas* 
C:\Program Files\*Aprps*
C:\Program Files\*LimeShop*
C:\Program Files\Common Files\*BTLINK*
C:\WINDOWS\SYSTEM\*nsvsvc*

* Delete these folders from your favorites:

*FUN & GAMES
Casino & Carrers*

* Start Ccleaner and click *Run Cleaner*

* Restart back into Windows normally now.

* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## jdwest (Jul 30, 2005)

Flrman1,

Sending this reply from my work computer as the home computer would not get an Internet connection this morning. Spent over 3 hours on the phone this morning with my ISP trying to get a connection. Something is possibly going on with my cable modem connection, and I'm wondering could any of the steps we did on the last set of instructions resulted in a change that could have affected Modem/Network Adapters?? The cable modem was connected to the system with an Ethernet line running from the modem through a USB Ethernet Adapter into a USB port on the computer. Finally got the modem to recognize with running a straight USB connection from the cable modem to USB port on the computer. (For some reason the Ethernet port on the computer is not working, not sure if this is something that could be troubleshot here or not?)
The ISP (Comcast) technician thinks it could have something to do with Winsoc (??) but he is not sure if it is on their end or with my computer. Could any of the steps we last did have affected Winsoc on my computer or is there any way to check Winsoc and/or repair??


----------



## Flrman1 (Jul 26, 2002)

Nothing we did here should have affected the connection. You didn't inadvertantly delete a folder you weren't supposed to did you?


----------



## jdwest (Jul 30, 2005)

Do you know what "Winsoc" is that the ISP rep referenced this morning?? Is this something that can be repaired using online tools or can it be reinstalled from a disk?? Seemed we were making some progress and now this roadblock!!!!! 
Thanks!


----------



## flavallee (May 12, 2002)

I wonder if *CCleaner* might be the culprit. I see a new version was released - *1.22.142*.


----------



## Flrman1 (Jul 26, 2002)

I doubt if it was CCleaner unless jd used the "Issues" tool to remove something. Did you jd?


----------



## Flrman1 (Jul 26, 2002)

Do you have another pc there that you can use to download Lspfix and put it on a floppy to run it?


----------



## jdwest (Jul 30, 2005)

Flrman1,
I followed the instructions step by step. The only thing I clicked on CCleaner was Run Cleaner as instructed.

Curious to what this "Winsoc" is that was mentioned by the ISP rep this morning??

I have a work laptop here that I can access. Just not sure if I can access or download a particular site until I try, as the company has lots of security software on the systems and they are pretty locked down. I can give it a try though. I could make a drive over to parents residence and make a copy from the site if my work system is unable to do it. Just need to know where to go and look for this file to download.

Would the step right after CCleaner make any possible changes that could be contributing to this?? ( * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.) On that Internet Properties box there is a checkmark in the bottom setting on the screen for "Internet Explorer should check to see whether it is the default browser"....should that be there??


----------



## jdwest (Jul 30, 2005)

Follow-up to last reply:
The very last thing on the phone this morning with the ISP rep, we tested the connection by going to an MS-DOS prompt and "pinging" the system. It was successful, therefore the rep was stating that something was happening with the actual connection to the web from the system to the modem. This is when he mentioned the "Winsoc" does not seem to be converting internet file names into code correctly or something like that (really clueless on this internal operation of the system??). Have no idea if any of that makes sense or is even applicable to what is going now, but thought I would give you that info just in case. He mentioned that calling manufacturer might be useful to repair "Winsoc" but I'm not sure if that would be Microsoft or the local computer center where the system was purchased??


----------



## Flrman1 (Jul 26, 2002)

*Click here* to download LspFix. It will fit on a floppy disk. Put it on disk to transfer to the other computer.

Launch the application, and click finish (Don't do anything else).

See if that restores the connection.

Have you tried repairing Internet Explorer?


----------



## jdwest (Jul 30, 2005)

Flrman1,

I was able to copy LSPFix.exe to a disk and run it on the system. It did not detect anything to fix.

The last line of your latest post refers to repairing Internet Explorer. I do not know exactly what the process for doing that is. Can you explain the steps involved in that process. Thanks!

Is "Winsoc", that was mentioned earlier, a program itself or is it a part of the Internet Explorer system?? Since the modem is getting a good signal from the ISP but web pages will not load, does this have anything to do with Winsoc?


----------



## Flrman1 (Jul 26, 2002)

It could be a corrupt winsock, but let's try repairing IE first.

Click Start > Settings > Control Panel, then double-click Add/Remove Programs 
On the Install/Uninstall tab, doubleclick "Microsoft Internet Explorer 6 SP1 and Internet Tools", click the Repair Internet Explorer option, and then click OK


----------



## jdwest (Jul 30, 2005)

Flrman1,
Ran the Internet Explorer repair but still no connection being made to the web.


----------



## Flrman1 (Jul 26, 2002)

Try this winsock fix:

http://www.bu.edu/pcsc/internetaccess/winsock2fix.html


----------



## jdwest (Jul 30, 2005)

Flrman1,
OK, that winsock fix did the trick...back in business with connecting to the web. As an update you might want to take a look at the http://www.bu.edu/pcsc/internetaccess/winsock2fix.html link as it references that the creator of this fix is no longer at Boston U. and recommends a newer winsock fix at http://www.tacktech.com/display.cfm?ttid=257. I did this newer fix after installing the Visual Basic runtime library file from Microsoft that it references first.

Do you think that something during one of the previous steps we ran could have resulted in winsock getting hosed up?? The tacktech website mentioned above has this at the start of the winsock repair procedures "If you have suddenly lost your Internet connection after removing spy-ware (such as NewDotNet, and Commonname) the following steps will help restore your connection. This works for Windows 9x/NT/2000/XP". Thought this might be some good info for future reference in addressing a similar situation as mine.

Along those lines....do you think any of the remaining steps might cause the same type of problem to occur with winsock??

Should I pick up where we left off prior to the web connection problem with your post on Aug 3rd at 7:17am??

Here's a new copy of HJT in case you need it:
Logfile of HijackThis v1.99.1
Scan saved at 5:56:52 AM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab


----------



## Flrman1 (Jul 26, 2002)

The only thing that I can think of that possibly could have affected the connection is the Top Converting folder that was deleted. I have heard that has happened before when removing that malware, but have never seen it happen. I have removed it many times without incident. I suppose that could be what happened, but I can't say for sure.

Fix this with HJT:

*O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe*

Restart and make sure the C:\Program Files\tbas folder has been deleted.

Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

*Post a new HiJackThis log along with the report from the Housecall scan*


----------



## flavallee (May 12, 2002)

jdwest:

As soon as you get the "all clear" on your log, you can trim down the startup list of unnecessary running programs by going into the MSCONFIG "Startup" tab and unchecking

*TKBellExe* (realsched.exe)

*LoadPowerProfile* (LoadCurrentPwrScheme)

(Note: Uncheck both entries with this name)

*SchedulingAgent* (mstask.exe)

*KB891711* (kb891711.exe)

*Microsoft Works Calender Reminders* (wkcalrem.exe)

(Note: Leave this one checked, only if you're actually using the calender reminder feature)

*Microsoft Office* (osa9.exe)

clicking Apply - OK, then rebooting.

---------------------------------------------------------------


----------



## jdwest (Jul 30, 2005)

Flrman1,

Ran HijackThis and marked the string O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe to Fix. Once this completed, did a Restart but the C:\Program Files\tbas  folder was still there. Does this "tbas\bhar.exe" need to be marked for Fix again in HJT??

Ran HouseCall. Here's the report:
Trend Micro Housecall Virus Scan0 virus cleaned, 2 viruses deleted

Results:
We have detected 2 infected file(s) with 2 virus(es) on your 
computer. Only 0 out of 0 infected files are displayed: 
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 2 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\!Submit\QOSSN1.EXETROJ_APROPO.HDeletion 
successful
C:\!Submit\QOSVOX.EXETROJ_APROPO.HDeletion 
successful

Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a 
Trojan seems like a harmless program, it contains malicious 
code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your 
computer. Only 0 out of 0 Trojan horse programs and worms are 
displayed: - 0 worm(s)/Trojan(s) passed, 0 
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) 
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken

Spyware Check3 spyware programs removed

What we checked:
Whether personal information was tracked and reported by 
spyware. Spyware is often installed secretly with legitimate 
programs downloaded from the Internet. 
Results:
We have detected 5 spyware(s) on your computer. Only 0 out of 
0 spywares are displayed: - 2 spyware(s) passed, 0 
spyware(s) no action available
- 3 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_169CookiePass
COOKIE_722CookiePass
ADW_IEHELPER.AAdwareRemoval successful
SPYW_VBOUNCE.BSpywareRemoval successful (Please 
reboot your machine)
SPYW_VTBOUNCER.BSpywareRemoval successful (Please 
reboot your machine)

Microsoft Vulnerability Check2 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues 
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 2 vulnerability/vulnerabilities on your 
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
CriticalThis vulnerability enables a remote 
attacker to cause a denial of service and execute 
arbitrary code through a specially formed web page 
or HTML e-mail. This is caused by a flaw in the 
way the HTML converter for Microsoft Windows 
handles a conversion request during a 
cut-and-paste operation. MS03-023
ModerateA denial of service (DoS) vulnerability 
exists in Outlook Express that could cause the 
said program to fail. The malformed email should 
be removed before restarting Outlook Express in 
order to regain its normal operation. MS04-018

Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:10:25 AM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\TBAS\BHAR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab


----------



## Flrman1 (Jul 26, 2002)

Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe

O4 - HKCU\..\Run: [MOBUST] C:\WINDOWS\SYSTEM\MOBUST.exe

O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe*

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it. Now put a tick by *Standard File Kill*. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*c:\windows\system\brrlpzp.exe

C:\WINDOWS\SYSTEM\MOBUST.exe

C:\Program Files\tbas\bhar.exe*

Exit the Killbox.

* Delete this folder:

C:\Program Files\*tbas*

* Start Ccleaner and click the *Run Cleaner* button only.

*CAUTION! DO NOT* use the "Issues" tool in CCleaner to fix or remove anything. You can cause damage to your computer if you don't know what you are doing. Click the *Run Cleaner* button only.

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan *here*

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

*Post a new HiJackThis log along with the results from ActiveScan*


----------



## jdwest (Jul 30, 2005)

Flrman1,

Unsure about one thing on your last set of instructions. I ran ActiveScan and when it finishes it shows the results. Everything shown had "No Disinfected" marked. There was a button to save report, which I did, but there was no option to choose to have it delete anything as your instructions state "When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself." I'm not sure if I'm missing something there or the delete part is going to just be a manual process for each of the items??

The ActiveScan log is attached:

Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:48:22 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\TBAS\BHAR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab


----------



## Flrman1 (Jul 26, 2002)

Did you delete the C:\Program Files\tbas folder before? It is still there.


----------



## jdwest (Jul 30, 2005)

Flrman1,

Yes, I deleted it and then went to the Recycle Bin and dumped that as well. I also noticed that is was back when I did the HJT log at the end. Why does this one keep coming back like that?? I'm following your instructions precisely step by step.


----------



## Flrman1 (Jul 26, 2002)

Click here to download StartDreck.

UnZip the startdreck.zip file first. DoubleClick: 'StartDreck.exe' 
First click on the *config* button. 
Now click the *Unmark all* button 
Put a check by these boxes only: 
*Registry->run keys 
*Registry->Browser helper objects 
*System/drivers> Running processes 
hit >ok.

Now click the *Save* button to save that log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here.


----------



## jdwest (Jul 30, 2005)

Flrman1,

That link for StartDeck doesn't seem to be working. Looks like it brings up an error message in German possibly. Any othe link to find StartDeck or should I go out and Google to search for it??


----------



## jdwest (Jul 30, 2005)

Flrman1,

Found it at: http://www.niksoft.at/download/startdreck.htm

Will run those last instructions and post results!


----------



## Flrman1 (Jul 26, 2002)

http://www.spyware911.net/downloads/startdreck.zip


----------



## jdwest (Jul 30, 2005)

Here's the StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-08-06 @ 17:56:57 (GMT -05:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Default at C1292261-A

»Registry
»Run Keys
»Current User
»Run
*Uhte=C:\Program Files\tbas\bhar.exe
»RunOnce
»Default User
»Run
*Uhte=C:\Program Files\tbas\bhar.exe
»RunOnce
»Local Machine
»Run
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*HP Component Manager="C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
*HPDJ Taskbar Utility=C:\WINDOWS\SYSTEM\hpztsb10.exe
*HP Software Update="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*KB891711=c:\windows\SYSTEM\KB891711\KB891711.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
»Files
»System/Drivers
»Running Processes
+FF0FF1BD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF86CD=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB15D=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFACA9=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE0725=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE3269=c:\windows\SYSTEM\KB891711\KB891711.EXE
+FFFEC129=C:\WINDOWS\EXPLORER.EXE
+FFFD686D=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFDDD31=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFFDE8DD=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFD962D=C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
+FFFD8651=C:\WINDOWS\SYSTEM\HPZTSB10.EXE
+FFFDA289=C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
+FFFC4FBD=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFC758D=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
+FFFC2951=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFD5545=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
+FFFC1D95=C:\PROGRAM FILES\TBAS\BHAR.EXE
+FFFAF60D=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFEF87D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFA1B1D=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
+FFF66AB5=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF9BA5D=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF6DAE9=C:\UNZIPPED\STARTDRECK[1]\STARTDRECK.EXE
»Application specific


----------



## Flrman1 (Jul 26, 2002)

Go to the forum *here* and upload the files found in the C:\Program Files\*tbas* folder.

Here are the directions for uploading the files:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the files on your computer. If there are multiple files to be uploaded click the "More attachments" button for each extra file and browse to the files. When all the files are listed in the windows click "Post" to upload the files.


----------



## jdwest (Jul 30, 2005)

Flrman1,

Posted the information requested to the SpyKiller forum. Here's a copy of the posted thread:

Link to thread on Tech Support Guy website: http://forums.techguy.org/showthread.php?t=385840&page=4

Inside the C:\Program Files\tbas folder there is another folder labeled "nsat" but it does not show anything in the folder when you click on it.

--------------------------------------------------------------------------------
bhar.exe (65 KB - downloaded 0


----------



## dvk01 (Dec 14, 2002)

Mark

that is definitely the new Purity scan that we haven't found a succesful way to remove yet

it seems to add a version in %system% folder and possibly in application data as well 

if you do a silent runners it sometimes shows an extra file taht helps to hold it inp[lace & you need to Killbox on reboot all the files nmaed 

also you need to edit the wininit.ini file as that is set to reinstall it everytime


----------



## Flrman1 (Jul 26, 2002)

Thanks Derek! :up:

jdwest

*Click here* to download Silentrunners.vbs.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it is finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.


----------



## jdwest (Jul 30, 2005)

Flrman1,

Cannot get the SilentRunner to load. I've attached the pop-up error message so you can see it. As far as I know, McAfee is disabled and not running on the system anymore, even though there does seem to still be some fragments hanging around from that application. I was going to ask about identifying and cleaning those remnants once we were finished with the virus cleanup work. The only other things that I now see working are things we have done during this repair effort (i.e. AVG Free Edition). If that is what's causing the SilentRunner error then I'm not sure how to disable or turn off anything in AVG.


----------



## dvk01 (Dec 14, 2002)

you are running it from temp internet files folder that is why and oit hasn't got the permissions to create what it needs to in that folder

download it to desktop

this is my standard advice to use it

download & run http://www.silentrunners.org/Silent Runners.vbs

save it to desktop & run it from there (double click on it to run) follow all it's prompts and it will make a file called startup programs , copy the contents of that list back here


----------



## Flrman1 (Jul 26, 2002)

dvk01 said:


> also you need to edit the wininit.ini file as that is set to reinstall it everytime


Do you mean win.ini? I don't think there is a wininit.ini on 9x is there?


----------



## jdwest (Jul 30, 2005)

Derek,
Followed the instructions you posted a few minutes ago. Look's like I'm getting the same error message when I try to run it from desktop screen. I've attached the error message.


----------



## Flrman1 (Jul 26, 2002)

Download and install Windows script Host from here:

http://www.microsoft.com/downloads/...F6-249C-4A72-BFCF-FC6AF26DC390&displaylang=en


----------



## jdwest (Jul 30, 2005)

OK, finally got the SilentRunner to load and then run. Had to download a couple of things from the Microsoft site to enable it to run.

Here's the results:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"DelayShred" = ""C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SHREDDER\SHRED32.EXE" /q C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\RECALL~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\SEARCH~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\991673~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\CAJE0BVH.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\DCS_1_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\COMPON~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\KEY_1_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\CORNER~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\BA_SV_~3.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\CAPCWZTD.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\ADS_1_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\FLASH_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\LEFTNA~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\TIGER_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\FRESH_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\147273~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\COLTS_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BA_SV_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\COVER_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\HELPON~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BURSTU~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\GO-BUT~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\TOPNAV~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BURSTU~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\LINE_1~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\LEFTBK~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TECHGU~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\BROWSE~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\PX-666~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\TN-PUR~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\INSTAL~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\DAVIS_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\IFRAME~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BG-LEF~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TOPNAV~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\TN-ABO~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TN-ON-~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\DCS_7_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TDS3SE~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.SH! C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.SH! C:\WINDOWS\COOKIES\INDEX.SH!" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"HP Component Manager" = ""C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 c:\windows\INF\applets1.inf" [MS]
PerUser_netwatch_Inis\(Default) = "Windows Setup - Netwatch"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Rem_Inis 64 c:\windows\INF\appletpp.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 c:\windows\INF\appletpp.inf" [MS]
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.0"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsCompuservePerUser\(Default) = "Windows Setup - CompuServe"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Web Publishing Wizard 1.6"
 \StubPath = "rundll32.exeadvpack.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{20d8bda1-1958-11d6-b00f-00b0d0c6b6a5}" = "McAfee Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GDSHEXT.DLL" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
"Exif Launcher" -> shortcut to: "C:\Program Files\Exif Launcher\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"DING!" -> shortcut to: "C:\Program Files\Southwest Airlines\Ding\Ding.exe" ["Southwest Airlines"]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]
"McAfee.com Update Check 05192005115301" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" [file not found]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{CE27D4DF-714B-4427-95EB-923FE53ADF8E}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\DSR.DLL" [file not found]

HKLM\Software\Classes\CLSID\{E2D2FE40-5674-4B77-802B-EC86B6C2C41D}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\DSR.DLL" [file not found]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "orighomepage" = "http://home.excite.com/" [file not found]
HIJACK WARNING! "homepage2" = "about:about:homepage" [file not found]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 34 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 14 seconds.
---------- (total run time: 83 seconds)


----------



## Flrman1 (Jul 26, 2002)

* I am attaching a delete4.zip file to this post. Download it and save it to your desktop. 
Unzip the delete4.zip file to extract the delete.bat file to C:\. After extracting to C:, you should have a C:\delete4.bat file sitting seperately on C:. Make sure that you *do not* have it extracted to a C:\delete4 folder. You will be running the bat file from dos and it will not work if the file is not where it should be.

* Put the boot floppy in the floppy drive and restart your computer. As it boots to the floppy, it will ask you if you want to start with CD Rom support. It doesn't matter if you do or don't. Hit Enter. When you get to the *A:\>* Prompt type:

*C:*

Hit enter.

At the C:\> prompt type the following command:

*delete4.bat*

Let the batch file run.

* After the batch has run, remove the boot disk from the drive and hit the Ctrl + Alt + Del keys simultaneously to reboot.

* As the computer begins to reboot, begin tapping the F8 key repeatedly until you get to the advanced boot menu. Use the up and down arrow keys on your keyboard to choose "Safe Mode" from the boot menu then hit Enter to boot to safe mode.

* In safe mode delete the C:\Program Files\tbas folder again.

* Go to Start > Programs > Accessories > System Tools > Scheduled Tasks.
Find *RUTASK* and delete it.

* Restart back to windows normally and come back here to post a new Hijack This log.


----------



## jdwest (Jul 30, 2005)

Flrman1,
Everything went good with your instructions until the last step. * Go to Start > Programs > Accessories > System Tools > Scheduled Tasks.
Find RUTASK and delete it. There was not a RUTASK item in the Scheduled Tasks. 
Here's the HJT log, it look like that "tbas" file is still there:
Logfile of HijackThis v1.99.1
Scan saved at 10:48:30 PM, on 8/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


----------



## jdwest (Jul 30, 2005)

Flrman1 & DVK01

In FIND, I typed in "*.ini" and it found a Win.ini file but did not show a Wininit.ini file. Thought I would add this to go with the last post with the "delete4.bat" results. This was mentioned in a few previous post but not sure if it needed to be addressed at this time.


----------



## Flrman1 (Jul 26, 2002)

Fix this with Hijack This:

*O4 - HKCU\..\Run: [Uhte] C:\Program Files\tbas\bhar.exe*

Restart your computer.

Post a new Hijack This log and run the silentrunners.vbs file again and post the new log from it as well.


----------



## jdwest (Jul 30, 2005)

Here's the SilentRunner log:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"DelayShred" = ""C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SHREDDER\SHRED32.EXE" /q C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\RECALL~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\SEARCH~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\991673~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\CAJE0BVH.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\DCS_1_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\COMPON~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\KEY_1_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\CORNER~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\BA_SV_~3.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\CAPCWZTD.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\ADS_1_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\FLASH_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\LEFTNA~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\TIGER_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\FRESH_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\147273~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\COLTS_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BA_SV_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\COVER_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\HELPON~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BURSTU~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\GO-BUT~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\TOPNAV~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BURSTU~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\LINE_1~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\LEFTBK~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TECHGU~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\BROWSE~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\PX-666~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\TN-PUR~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\6N0TSBKF\INSTAL~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\E4LC5O7O\DAVIS_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\IFRAME~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\BG-LEF~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TOPNAV~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\P801BU45\TN-ABO~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TN-ON-~2.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\DCS_7_~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\01234567\TDS3SE~1.SH! C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.SH! C:\WINDOWS\HISTORY\HISTORY.IE5\INDEX.SH! C:\WINDOWS\COOKIES\INDEX.SH!" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"HP Component Manager" = ""C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"" ["Hewlett-Packard Company"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis_remove 64 c:\windows\INF\applets1.inf" [MS]
PerUser_netwatch_Inis\(Default) = "Windows Setup - Netwatch"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_netwatch_Rem_Inis 64 c:\windows\INF\appletpp.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 c:\windows\INF\appletpp.inf" [MS]
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.0"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsCompuservePerUser\(Default) = "Windows Setup - CompuServe"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Web Publishing Wizard 1.6"
\StubPath = "rundll32.exeadvpack.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{20d8bda1-1958-11d6-b00f-00b0d0c6b6a5}" = "McAfee Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GDSHEXT.DLL" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITSHELLEXT.DLL" ["TechSmith Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGSE.DLL" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
"Exif Launcher" -> shortcut to: "C:\Program Files\Exif Launcher\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"DING!" -> shortcut to: "C:\Program Files\Southwest Airlines\Ding\Ding.exe" ["Southwest Airlines"]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]
"McAfee.com Update Check 05192005115301" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" [file not found]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{CE27D4DF-714B-4427-95EB-923FE53ADF8E}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\DSR.DLL" [file not found]

HKLM\Software\Classes\CLSID\{E2D2FE40-5674-4B77-802B-EC86B6C2C41D}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINDOWS\DSR.DLL" [file not found]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "orighomepage" = "http://home.excite.com/" [file not found]
HIJACK WARNING! "homepage2" = "about:about:homepage" [file not found]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 7 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 14 seconds.
---------- (total run time: 47 seconds)

Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:10:02 AM, on 8/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


----------



## Flrman1 (Jul 26, 2002)

The HJT log looks good now, but the silentrunners log is still showing the RUTASK in the scheduled tasks. Are you sure it wasn't there?

Tell me everything that is there.


----------



## jdwest (Jul 30, 2005)

Flrman1,
Attached a screen capture of the Scheduled Tasks screen for you to view:


----------



## Flrman1 (Jul 26, 2002)

I honestly don't know why it's not showing up there.

How is the computer running now?


----------



## jdwest (Jul 30, 2005)

Flrman1,
The system seems to be running good now. Can you tell me how to go about getting the McAfee remnants off of the system. McAfee is not running on the system anymore, but apparently there are things still attached. During the bootup the system stops with a message script that it cannot find some type of McAfee file, press any key to continue. Once you press a key it goes on through the bootup process. Similiar thing happens when opening Outlook for email, message comes up regarding something with McAfee not being available, and just click OK to go on into Outlook. 

Since I removed McAfee and it seems to be the consensus opinion that McAfee is not that good of a protection system, can you give me some advice on what product(s), free or requiring purchase, I can put in place to offer the best safeguard solution to my system. 

Some prior posts from Flavallee mentioned some cleanup that could be done on the Startup folder, any ideas on that?


----------



## Flrman1 (Jul 26, 2002)

See the link below about removing Mcafee:

http://help.isu.edu/disppage.php?doc_id=587&cat_id=69


----------



## jdwest (Jul 30, 2005)

Flrman1,
Have been out for several months with work and returned home to find the following situation with system. Apparently something occurred during a system bootup that prompted to load a previous registry due to problems encountered. They allowed the previous registry to load and it seems to have gone back to a previous state prior to having performed many of the steps that you gave me in this thread. Should I go back and start at the beginning of the thread and do all of the steps you gave me, or would it be better to see where the system is currently at and proceed from here??
I ran AdAware and Spybot and fixed the problems identified. Here is the current HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:22 PM, on 10/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\WINDOWS\SYSTEM\WINSHOST.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe 
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINDOWS\firewall_anti.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
O4 - HKCU\..\RunServices: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
O4 - HKCU\..\RunServices: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
O4 - HKCU\..\RunServices: [winshost.exe] C:\WINDOWS\SYSTEM\winshost.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {55E9B640-D33E-11D4-8C04-00E029617463} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574ab33614/netzip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab

Thanks for helping....AGAIN!!!


----------



## flavallee (May 12, 2002)

jdwest:

This thread is 6 pages long, so I'm not going to go back and read every reply. You'll need to do that and decide where to pick up at. Just glancing at the O4 entries, it looks like a real mess.

Did anyone else have access to your computer while you were gone?

----------------------------------------------------------------


----------



## dvk01 (Dec 14, 2002)

there is no antivirus on there so the first thing to do is install an antivirus

run it and see what that fixes and then post a new HJT log afterwards

one free one that many users of this forum use successfully is 
AVG from http://free.grisoft.com/freeweb.php/doc/1/


----------



## jdwest (Jul 30, 2005)

Had previously loaded AVG and thought it was still active on the system. I went ahead and reloaded it from the link. Ran the scan and it identified and fixed quite a few items. Here is the HJT log after the AVG scan:

Logfile of HijackThis v1.99.1
Scan saved at 6:07:35 PM, on 10/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe 
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {55E9B640-D33E-11D4-8C04-00E029617463} - (no file) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574ab33614/netzip/RdxIE601.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab34501.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab


----------



## dvk01 (Dec 14, 2002)

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL (file missing)

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [brrlpzp] c:\windows\system\brrlpzp.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {55E9B640-D33E-11D4-8C04-00E029617463} - (no file) (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574a...ip/RdxIE601.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...bridge-c420.cab

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit ] If Killbox tells you any files are missing don't worry

c:\windows\saap.exe
c:\windows\system\brrlpzp.exe

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

*delete these folders *

C:\Program Files\Alset

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

Reboot &

Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds

First press file and check for updates and then run it

Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

Run an online antivirus check from at least one and preferably 2 of the following sites

http://www.kaspersky.com/virusscanner
http://www.pandasoftware.com/products/activescan.htm
http://housecall.trendmicro.com/

reboot & post a fresh HJT log and let us know how it is


----------



## zapp22 (Nov 26, 2004)

dvk : 
i searched out this thread because of a lot of odd ugly behaviour on a client's win 98 se system.... Were you serious about deleting/killing that string of McAfee agents that are in your last post above? Why? that really got my attention.
z


----------



## zapp22 (Nov 26, 2004)

just making sure I'm subscribed


----------



## dvk01 (Dec 14, 2002)

zapp22 said:


> dvk :
> i searched out this thread because of a lot of odd ugly behaviour on a client's win 98 se system.... Were you serious about deleting/killing that string of McAfee agents that are in your last post above? Why? that really got my attention.
> z


the user had previously uninstalled mcaffee & it hadn't gone properly so needed manually fixing

he was now using a different AV


----------



## jdwest (Jul 30, 2005)

Flrman1,
Sorry to bother you, but I have a question regarding a current problem that I have posted on a thread in the Windows 95/98/ME forum titled "Win 98se will not boot". In helping me with the problem posted on this thread back in July of last year, you had me create a Boot Disk (post #17). 
Will this Boot Disk be able to help with the current problem I'm having which is the system cannot find Win.Com during the boot up and will not continue loading. It states the following files are missing: C:Windows\HIMEN.SYS, C:Windows\DBLBUFF.SYS, C:Windows\IFSHIP.SYS.
Along with the Boot Disk, I located the Emergency Recovery CD (Bootable) that came with my system.
Again, sorry to bother you on this old post but hoping the disk from this one might be useful in fixing my current problem! Thanks for any assistance you can provide!


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

