# [Resolved] msconfig won't stay visible but for 2 seconds



## Tinka (Jul 17, 2003)

I already have Hijackthis and all now I'm pasting what it found...

Logfile of HijackThis v1.95.1
Scan saved at 6:30:35 PM, on 7/17/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\WINNET.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DXDIAG.EXE
C:\WINDOWS\SYSTEM\KERNEL32.DLI
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\COMWIZ.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.3.1.0\HBHOSTIE.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\MPZ300.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {EFD440C0-0943-11d3-9D65-00A0CC22CBC4} - C:\WINDOWS\QPHELPER.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.3.1.0\HBHOSTIE.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\TOOLBAR\WINNET.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [IJ75P2PSERVER] IJ75P2PS.EXE
O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\SYSTEM\KERNEL32.DLI
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/add/XUpload.ocx

PLEASE HELP ME LIKE U DID EDMONDDDDD!!!


----------



## Rollin' Rog (Dec 9, 2000)

Welcome Tinka. We prefer fresh threads rather than "piggybacks", so I've splityour off.

First, put checks in the following HijackThis entries, close IE, and click 'fix checked'; reboot afterwards:

O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.3.1.0\HBHOSTIE.DLL
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\MPZ300.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.3.1.0\HBHOSTIE.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\TOOLBAR\WINNET.EXE
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [IJ75P2PSERVER] IJ75P2PS.EXE
O4 - HKLM\..\Run: [kernel32] C:\WINDOWS\SYSTEM\KERNEL32.DLI
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O11 - Options group: [CommonName] CommonName

You will need to follow instructions here as well:

http://www.symantec.com/avcenter/venc/data/backdoor.amitis.b.html

Let me know if you need help with that.

Then, VERY IMPORTANT, please download, install and UPDATE, Spybot following the directions here:

http://tomcoyote.org/SPYBOT/

After updating Spybot, but before running, go to Add/Remove programs and remove:

New.net

and reboot.

Then run Spybot, fix all entries it pre selects and reboot. If prompted to run a second time, do so.

Post another Scanlog after completion of the above.


----------



## Tinka (Jul 17, 2003)

Ok I do need help with the Symantec Security link you told me to go to...


----------



## Rollin' Rog (Dec 9, 2000)

Go ahead with the instructions I posted and give another ScanLog after you've finished.

You can skip the Symantec instructions for now and do them last.

You will need to read the section of the link under REMOVAL and tell me whichin structions don't seem clear to you. They are intended to help you run *regedit* and find and delete specific registry keys. You must be confident you have found and identified the correct keys.

HKEY_CLASSES_ROOT\*.dli*
HKEY_CLASSES_ROOT\*dlifile*

remember, you are looking for d l i not d l l

You will not need to do parts 'd' and 'e' of the instructions. HijackThis will do that for you when you do as I indicated.

When you are asked to delete a value, you right click on it and select "delete".


----------



## Tinka (Jul 17, 2003)

when i go to run and type regedit the box that pops up only stays up for about 3 seconds and it goes away.


----------



## Rollin' Rog (Dec 9, 2000)

Have you completed the previous instructions regarding HijackThis and rebooted afterwards?

If you do a ctrl-alt-del do you see either of these as a task in the task window:

KERNEL32.DLI
IJ75P2PS.EXE


----------



## Tinka (Jul 17, 2003)

ok, i did the hijack instructions and rebooted. When i push ctrl+alt+del I don't see KERNEL32.DLI or IJ75P2PS.EXE and my when I'm trying to do the regedit it still only stays up for a couple of seconds.


----------



## Rollin' Rog (Dec 9, 2000)

Post another ScanLog for me so I can see if there is something new or something that is holding out.


----------



## Tinka (Jul 17, 2003)

Logfile of HijackThis v1.95.1
Scan saved at 10:05:00 PM, on 7/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\BIOS32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\WINNET.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\COMWIZ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - C:\PROGRAM FILES\EXACT\EXACTTOOLBAR.DLL (file missing)
O2 - BHO: (no name) - {EFD440C0-0943-11d3-9D65-00A0CC22CBC4} - C:\WINDOWS\QPHELPER.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: &eXact Toolbar - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - C:\PROGRAM FILES\EXACT\EXACTTOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\TOOLBAR\winnet.exe
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O9 - Extra button: AIM (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8721F16D-CBF8-4CE5-B924-18D64E12E77E} (BDEInstallMan3 Class) - http://www.altnet.com/install/dman4.cab


----------



## Rollin' Rog (Dec 9, 2000)

Ok, there is just way too much spy and adware stuff there.

You need to install Spybot. Once installed you need to UPDATE it following these directions:

>> press the "settings" tab; you will then see another "settings" option in a gray window. Press that. Look for "Web Update" and put a check in "display also available beta versions".

Then press the Online tab and "search for updates"; check and download all updates.

>> Then Remove *new.net* from Add/Remove programs and reboot.

>> Run Spybot and have it fix all pre checked entries it targets. You will need to reboot and you may be prompted to run it again.

Then post another ScanLog.


----------



## Tinka (Jul 17, 2003)

Logfile of HijackThis v1.95.1
Scan saved at 10:48:30 PM, on 7/19/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\BIOS32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\WINNET.EXE
C:\PROGRAM FILES\COMMONNAME\TOOLBAR\COMWIZ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - C:\PROGRAM FILES\EXACT\EXACTTOOLBAR.DLL (file missing)
O2 - BHO: (no name) - {EFD440C0-0943-11d3-9D65-00A0CC22CBC4} - C:\WINDOWS\QPHELPER.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: &eXact Toolbar - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - C:\PROGRAM FILES\EXACT\EXACTTOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\TOOLBAR\winnet.exe
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8721F16D-CBF8-4CE5-B924-18D64E12E77E} (BDEInstallMan3 Class) - http://www.altnet.com/install/dman4.cab


----------



## Rollin' Rog (Dec 9, 2000)

Sheesh, I do see you removed New.net, but it doesn't look like Spybot has been run. Did you update and run it according to directions?

Let's have another hack at this with HijackThis; then run spybot again, fix things, reboot and post another Scanlog.

First, do a ctrl-alt-del and if you see any of these in the Task Window, end task each:

BIOS32.EXE
P2P NETWORKING.EXE
WINNET.EXE
COMWIZ.EXE

Check these entries; be sure you get them all; close IE and click Fix checked.

O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRAM FILES\ACCELERATION SOFTWARE\STOPSIGN\WEBCBROWSE.DLL (file missing)
O2 - BHO: (no name) - {EFD440C0-0943-11d3-9D65-00A0CC22CBC4} - C:\WINDOWS\QPHELPER.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - C:\PROGRAM FILES\EXACT\EXACTTOOLBAR.DLL (file missing)
O2 - BHO: (no name) - {EFD440C0-0943-11d3-9D65-00A0CC22CBC4} - C:\WINDOWS\QPHELPER.DLL
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRAM FILES\COMMONNAME\TOOLBAR\CNBABE.DLL
O3 - Toolbar: &eXact Toolbar - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - C:\PROGRAM FILES\EXACT\EXACTTOOLBAR.DLL (file missing)

O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\TOOLBAR\winnet.exe
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k

^^^^ this should also be removed through Add/Remove programs, I'm surprised Spybot left it and the others. It is not legitimate antivirus ware.

>>> Reboot in SAFE MODE; to do this, pres and hold the ctrl key immediately when restarting; select Safe Mode from the Boot Menu.

Use Windows Explorer (run: explorer) or My Computer to navigate to

C:\Program Files and delete the following directories:

P2P NETWORKING
COMMONNAME

Reboot and run Spybot again and have it fix all it finds.

Post Another ScanLog


----------



## Tinka (Jul 17, 2003)

Logfile of HijackThis v1.95.1
Scan saved at 12:00:05 AM, on 7/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\BIOS32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

Sorry, I may not have given you the best directions last time, some of these files were not in the Program Files directory.

Please, one again follow these directions EXACTLY.

1 -- ctrl alt del and End Task the following processes if present:

BIOS32.EXE
P2P NETWORKING.EXE

2 -- Check the following entries in the HijackThis Scanlog:

O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe

3 -- Close Internet Explorer and click Fix Checked in HijackThis

4 -- Reboot in Safe Mode

>> delete *P2P NETWORKING* folder in c:\windows\system

>> delete *bios32.exe* file in c:\windows\system

(it may be easier to do a Find Files for it).

Do a Find Files for: *xstyles.exe* and delete that whereever it is.

we are getting closer, I assure you 

And of course, another ScanLog

Let me know if you don't find something. You may need to ensure that "show all files" is checked in Folder Options > View


----------



## Rollin' Rog (Dec 9, 2000)

Tinka, I am going to have to shutdown for a while due to repeated power brownouts and failures here; Hopefully I will be back in about 30 minutes if things settle down.


----------



## Tinka (Jul 17, 2003)

When I deleted xstyles i emptied my recycle bin...but i couldn't find the bios32 and when i rebooted i couldn't get back to this site so I had to log in under another user...did i delete something wrong?


----------



## Tinka (Jul 17, 2003)

im sorry nevermind...i got it now

Logfile of HijackThis v1.95.1
Scan saved at 1:43:45 AM, on 7/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\BIOS32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

The site was down for a while last night.

*edit*: before proceeding with what follows below, please test run msconfig and regedit and let me know if they open and run correctly; if they do, do not proceed with what follows. If they do not, first terminate bios32.exe in the End Task window and see if they run after that. If they do, proceed with the following. It is possible that I have been mistaken in my assumption that they are illegitimate files, even though there is really no information available for them on the web.
=======================================

Well we keep making a little progress at a time; bios32.exe and xstyles.exe keep holding on.

Let's keep trying using different methods.

1 - do a ctrl-alt-del and End Task *bios32.exe*

2 - go to Start > Run and enter *command* (a DOS windows should open)

3 - at the command prompt enter EXACTLY each bold line (note any error messages):

*cd c:\windows\system* (you should now be at the prompt

c:\windows\system>

*attrib -h -r -s bios32.exe
del bios32.exe*

If you receive no error message the commands should have deleted the file. If you do receive an error message, reenter the command, making sure spelling and spacing are correct.

4 - Run the HijackThis scan again and check and fix:

O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe

5 - I don't know where this xstyles.exe is comming from, so we must keep searching for it; if you get a hit note the exact path and delete it.

In Folder Options > View, make sure "Show All Files" is checked.

Do a Find Files for *xstyles.exe* making sure that include subdirectories is checked. Delete any instance of it.

Reboot and give another ScanLog. Do not do any further downloading or unnecessary browsing until we have these cleaned. Do not use any file sharing utillities.


----------



## Tinka (Jul 17, 2003)

I stopped at #3. I keep typing the command but the message "Parameter value not allwed - del"


----------



## Rollin' Rog (Dec 9, 2000)

Can you give me some feedback on the first part of my message? I don't want to try to proceed with that if these are in fact legitimate files not related to the problem.

Also were you able to find either bios32.exe or xstyles.exe by doing Find Files for them? If so, please do it again and Right Click on what you find and select Properties, then Version and tell me if there is any copyright information for them.


----------



## Tinka (Jul 17, 2003)

I found xstyles the other day and i deleted it...I never did find bios32. I stopped at number 3 because everytime I put in the command attrib -h -r -s bios32.exe del bios32.exe that message parameter value not allowed -del. I searched for xtyles.exe and only one file came up. I clicked properties and the only info they gave me was the general information...no Version.


----------



## Tinka (Jul 17, 2003)

ok, the bios32 error message just popped up and said it had to close for performing an illgeal operation...


----------



## Rollin' Rog (Dec 9, 2000)

Ok, what I want to know is if you do a ctrl-alt-del and End Task bios32.exe (or if it is not in the Close Programs list), can you run msconfig or regedit without it terminating?

I am concerned that they may be display driver related and not "illegitimate" files. I want to be confident their being illegitimate before deleting them with a DOS command (they won't be in the recycle bin when deleted that way)

I think the error you are getting is because you are trying to enter too much on one line. You must hit ENTER after typing each bold line:

from the command prompt type and ENTER _each_ line:

*cd c:\windows\system
attrib -h -r -s bios32.exe
del bios32.exe*

Then if the bios32.exe entries are still present in the ScanLog, you must check and delete them or you will get startup error messages.

Please post another scanlog when done.


----------



## Tinka (Jul 17, 2003)

regedit or msconfig still will not stay up but for a couple seconds. The only thing in my ctrl+alt+del box is EXPLORER, EM_EXEC, FPDISP3A, STIMON, LVCOMS, SYSTRAY, PTSNOOP, and WINOLDAP. And I still can't find bios32.exe.


----------



## Tinka (Jul 17, 2003)

Logfile of HijackThis v1.95.1
Scan saved at 11:47:17 PM, on 7/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\DIVX\DIVX PLAYER 2.1\DIVX PLAYER 2.1.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [NvXplDeamon] xstyles.exe
O4 - HKLM\..\Run: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O4 - HKLM\..\RunServices: [BIOS] C:\WINDOWS\SYSTEM\bios32.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

Ok, here is what I'd like you to try.

Restart in Safe Mode (ctrl key on startup, boot menu > Safe Mode)

Run msconfig from there. If it stays open, uncheck the TWO entries for bios32.exe there and the one entry for xstyles and reboot.

Then try msconfig in Normal mode and see if it stays open.


----------



## Tinka (Jul 17, 2003)

ok, I did it but it didn't stay open.


----------



## Tinka (Jul 17, 2003)

does any of this have to do with me installing kazaa not too long ago?


----------



## Rollin' Rog (Dec 9, 2000)

Well, this is getting truly knarly.

What I'd try now is extracting new copies of both msconfig.exe and regedit.exe using the System File Checker.

Follow the directions here for extracting both files:

Using SFC to extract files

1. Go to Start>Run and enter SFC and click OK
2. Check "Extract one File"
3. Enter the file name and click on "Start"
4. In the "Restore from" field enter:: *D:\WIN98* [if 'D' is not the letter of your CD-Rom drive, modify appropriately]
5. Click OK

{if you do not have a Windows system CD, try subsitituting *c:\windows\options\cabs* in the"restore from field"}

If you have c:\windows\options\cabs on the hard drive, you an do this extraction in Safe Mode which would be best. Otherwise you need a Win98 CD. Make sure bios32.exe is terminated from the Close Programs window before running sfc.

Once the files have been extracted successfully, try running msconfig again

About Kazaa? Absolutely, that's where this stuff came from!


----------



## Tinka (Jul 17, 2003)

ok they were extracted successfully, was I supposed to save a backup? But after I extrated them in safe mode...it still doesn't work. Regedit comes up for a couple but msconfig doesn't come up at all


----------



## Rollin' Rog (Dec 9, 2000)

I don't know if this is going to help much, but I'd like to see the StartupList from HijackThis.

To post the StartupList, run HijackThis, click Config > Miscl Tools > Generate StartupList and post that.

I think we are just going to have to take our best shots at deleting bios32.exe again, and perhaps do a Windows reinstall if I can't find anything else.

It might also help if you can do a full virus scan using Online Tools.

Here are two you can try:

http://www.pandasoftware.com/activescan/com/default.asp?language=2

http://housecall.antivirus.com/housecall/start_corp.asp

If one doesn't complete, try the other.

Also, I have a question: in Safe Mode when you have a cable connection, are you still connected to the Internet? If so, you need to unplug your cable connection for a test as well.


----------



## Tinka (Jul 17, 2003)

StartupList report, 7/21/03, 1:03:37 AM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
LVComs = c:\windows\SYSTEM\LVComS.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
EM_EXEC = C:\MOUSE\SYSTEM\EM_EXEC.EXE
CompaqPrinTray = PrinTray.exe
FinePrint Dispatcher = C:\WINDOWS\SYSTEM\fpdisp3a.exe
AltnetPointsManager = 
NvXplDeamon = xstyles.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

NvXplDeamon = xstyles.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 19/7/2003, 22:35:10)

[Rename]
NUL=C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCAN.EXE C:\
IF ERRORLEVEL 1 PAUSE
C:\ESSAUDIO.COM
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 3,989 bytes
Report generated in 0.103 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Yes I have a cable connection...so do u want me to unplug it now??


----------



## Tinka (Jul 17, 2003)

Trend Micro found 3 infected files...they are all called bkdr netdevil1.5 I think I got those from someone off yahoo


----------



## Rollin' Rog (Dec 9, 2000)

That's exactly what I was hoping/expecting.

Did it identify them and was it able to delete them?

IN the startuplist I see xstyles.exe starting from the RunOnce folder in the registry as well as Run. In the HijackThis ScanLog, only the Run folder was indicated.

It would be nice to get regedit to run, but I think I can give you a file to delete the RunOnce folder, which is safe to remove entirely. The one in Run, you have to delete using HijackThis, I don't know how to do that.

But if Trend deleted or quarantined infected files, test msconfig and regedit again.


----------



## Tinka (Jul 17, 2003)

the netdevil1.5 files say that they're not cleanable but it also found some PE PariteA files that say they're cleanable


----------



## Rollin' Rog (Dec 9, 2000)

Cleanable is different than deletable. What are the file names and locations. If a log is posted, copy/paste the log here.


----------



## Tinka (Jul 17, 2003)

I'm sorry even though the delete button was right under the clean button i didnt see it. I'm going to delete them now. But its 15 PE ParatiteA files coming from 
emote_userfem.exe, 
kazaa.exe, 
popupstopper.exe,
crimescene.exe,
flowconv.exe,
2 from visio_professional_patch.exe, 
q278261.exe,
accsql.exe,
p2kmac.exe,
euroupd.exe,
word rmr.exe,
hyphenup.exe,
wrd0901.exe

All have D:\ drive in front of them...so delete them right?

The netdevil filenames are my temporary internet files and a system kernel32.dll file


----------



## Rollin' Rog (Dec 9, 2000)

All of them are good to go!

By the way, when was the last time you updated McAfee? If recently you should also do a full system scan in Safe Mode.

If you cannot update it for any reason, you should uninstall it and I'll point you to a decent Antivirus with newer definitions.

You may need to run one in Safe Mode if all infected files cannot be deleted otherwise.

As for your Temporary Internet Files, close internet explorer, go to the Control Panel and open Internet > Internet Options and delete the Temporary Internet Files from there, including offline content.

Unfortunately, I still don't think we are getting what we need to here.


----------



## Tinka (Jul 17, 2003)

ok, can u give me the antivirus


----------



## Rollin' Rog (Dec 9, 2000)

Here's another "todo"

Run HijackThis > Scan and check and delete the *xstyles.exe* entry you see there.

Download the attached file to your desktop (right click on it and select "save target as".

Rename it *runonce.reg*

It should change to a green registry icon (if it doesn't, make sure it still doesn't have a .txt extension, it must be only runonce.reg)

Then double click it to merge it to the registry and confirm when prompted.

Post another StartupList (not a scanlog after that)

I'll wait online another half-hour to see if you have anything, but then I'll be back tommorrow to check for more.

If you want to uninstall McAfee and run another antivirus in Safe Mode, install and Update AVG:

http://www.grisoft.com./us/us_dwnl_free.php


----------



## Tinka (Jul 17, 2003)

I think I'll be back tomorrow too...but something's wrong with runounce


----------



## Rollin' Rog (Dec 9, 2000)

What happens when you run it? You should get a prompt to merge to the registry if you are seeing the green registry icon to click on.

It's possible the same issue that is affecting regedit may stop it from running.


----------



## Tinka (Jul 17, 2003)

the prompt only stays up for like a half of a second...once i clicked yes and another one popped up that had ok on it and i tried to click it but it went away.


----------



## Rollin' Rog (Dec 9, 2000)

We need to get *xstyles.exe* completely cleaned off the system if it is still present. Let me know when you've installed AVG and run a full system scan in Safe Mode.

First, go to Folder Options > View and make sure "Show All Files" is checked

Then go to Find Files, have it search My Computer and all subdirectories for xstyles.exe.

Delete every instance, make a note of where it is found and any error message when you try to delete it.

You can also do a search by opening a DOS prompt (start>run: command) and entering:

dir /s xstyles.exe

again, note where any instances turn up. We want to make absolutely sure none remain on the system. After deleting all you find, shutdown, wait 30 seconds and startup again. Then do another search to make sure.

After doing the above, give me another post of the StartupList, not the Scanlog.

This has got to be the bugger we are after, read here:

http://groups.google.com/[email protected]&rnum=1

By the way, we may have a workaround for using regedit.exe if we rename it *regedit.com* and double click it to run.

Once it runs, Click Edit > Find and enter: *xstyles.exe* and hit Find Next.

Right click on and delete each hit. Press f3 after each deletion to continue the search until the search is complete. Then close the registry editor and rename regedit.com back to regedit.exe

Shutdown, wait 30 seconds and reboot and try regedit and msconfig again.


----------



## Tinka (Jul 17, 2003)

StartupList report, 7/21/03, 9:57:45 PM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
LVComs = c:\windows\SYSTEM\LVComS.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
EM_EXEC = C:\MOUSE\SYSTEM\EM_EXEC.EXE
CompaqPrinTray = PrinTray.exe
FinePrint Dispatcher = C:\WINDOWS\SYSTEM\fpdisp3a.exe
AltnetPointsManager = 
NvXplDeamon = xstyles.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 21/7/2003, 20:25:14)

[rename]
NUL=C:\WINDOWS\TEMP\$AVGUPD$.502
NUL=C:\WINDOWS\DELETE.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
C:\ESSAUDIO.COM
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/6cc9eddcba090b/housecall.antivirus.com/housecall/xscan53.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBIN\SHARED\MGBRWFLD.DLL
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4,541 bytes
Report generated in 0.149 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Tinka (Jul 17, 2003)

regedit and msconfig works now


----------



## Rollin' Rog (Dec 9, 2000)

I'm still seeing this as a registry startup:

NvXplDeamon = xstyles.exe

Did you get an error message on startup that the file was missing?

I need a little more feed back from you as to what you've done with respect to the previous directions.

Did you search the hard drive for the file as suggested? What did you find if anything.

Did you rename regedit.exe to regedit.com and search the registry for xstyles.exe? And then name it back....

If regedit and msconfig are both working normally now, either use regedit to remove that last reference to xstyles or try HijackThis again, we want to get that out of there.

Then we can do the remaining cleanup using regedit to take care of the stuff on the Symantec link.

If you use regedit, manually navigate to:

HKLM\Software\Microsoft\Windows\CurrentVersion\*Run*

with the RUN folder highlighted in the left pane, Right Click on xstyles.exe in the right pane and delete it.


----------



## Tinka (Jul 17, 2003)

NO, I didn't get an error message after restarting. I don't know how to rename it to regedit.com, So since regedit.exe works now I'm looking for xstyles.exe


----------



## Tinka (Jul 17, 2003)

I deleted every xstyles that it found but i cant find HKLM\Software\Microsoft\Windows\CurrentVersion\Run


----------



## Rollin' Rog (Dec 9, 2000)

If you just do a "find" you'll probably get a lot of hits in "mru" folders; these are irrelevant.

To eliminate the startup call specifically, click

+ HKey_Local_Machine
+ Software
+ Microsoft
+ Windows
+ CurrentVersion
RUN

>> with the RUN folder highlighted you should see it in the Right hand pane. (unless it was deleted after you ran the last startuplist)


----------



## Rollin' Rog (Dec 9, 2000)

Now, also while you are in the Registry Editor.

Click

+ Hkey_Classes_Root

>> then scroll down until you see an entry for

*.dli*

>> note that is d L i NOT DLL, right click on the dli folder and delete it.

Do the same for

*dlifile*

again be clear about the spelling, it d l i file

Finally:

Click:

+ Hkey_Current_User
+ Software
+ Microsoft
NOTEPAD

>> with Notepad highlighed, look in the Right hand pane for:

"showed"="yes"

and right click on that and delete it.


----------



## Tinka (Jul 17, 2003)

i deleted them...


----------



## Tinka (Jul 17, 2003)

i dont see notepad...and I dont see any dli files


----------



## Rollin' Rog (Dec 9, 2000)

Outstanding; one more post of the StartupList and if that xstyles entry is gone, you're good to go.

But first run the HijackThis Scan and look and see if it is there, If it is, check and delete it with HijackThis, and then post a new StartupList, just to make sure it's gone from the location HijackThis seems not to see as well.

Are you saying you can't even find the Notepad folder in the location:

Hkey_Current_Users\Software\Microsoft\Notepad 

It should be a folder on the left, then you look on the right for the entry to delete.

If the entry is not there, that's fine, but Notepad should be.


----------



## Tinka (Jul 17, 2003)

StartupList report, 7/21/03, 10:51:01 PM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
CountrySelection = pctptt.exe
PTSNOOP = ptsnoop.exe
LVComs = c:\windows\SYSTEM\LVComS.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
EM_EXEC = C:\MOUSE\SYSTEM\EM_EXEC.EXE
CompaqPrinTray = PrinTray.exe
FinePrint Dispatcher = C:\WINDOWS\SYSTEM\fpdisp3a.exe
AltnetPointsManager = 
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 21/7/2003, 20:25:14)

[rename]
NUL=C:\WINDOWS\TEMP\$AVGUPD$.502
NUL=C:\WINDOWS\DELETE.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
C:\ESSAUDIO.COM
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.1\ADOBEC~1

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/6cc9eddcba090b/housecall.antivirus.com/housecall/xscan53.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBIN\SHARED\MGBRWFLD.DLL
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4,561 bytes
Report generated in 0.118 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Rollin' Rog (Dec 9, 2000)

Success!!



How does it feel?


----------



## Tinka (Jul 17, 2003)

YESSSSSSSSSSSS!!! IM SO HAPPY THAT I GOT THAT STUFF OFF OF MY COMPUTER...BUT THAT MEANS I CANT DOWNLOAD ANYMORE??


----------



## Rollin' Rog (Dec 9, 2000)

Man I would really stay away from file sharing utilities and stick to known legitimate sources; before opening any downloads which you have any doubts of, scan them with your antivirus -- but be aware, NONE of the current ones would have caught all that you had started with in this thread, so there are no guarantees.

But there's no reason not to do normal downloading.

Sometimes I think the music industry is out there planting this stuff to destroy the file sharing community; if they are they've done a good job.


----------



## Tinka (Jul 17, 2003)

thank you so much for spending so much time with me trying to fix my computer for a mistake that i made


----------



## Rollin' Rog (Dec 9, 2000)

You're certainly welcome; it was a tough one because the names were so new for some of them -- but a good one to learn about, I'm sure we'll be seeing more of it.


----------



## Tinka (Jul 17, 2003)

everytime i try to instally my scanner onto my computer an error message comes up about teaser has caused an error and is going to close...then right after that there's a message that says something about usb... caused a problem in kernell.dll and will now close i really need to install my scanner but it won't allow me to.


----------



## Rollin' Rog (Dec 9, 2000)

Tinka you need to post a new thread/topic for this one -- best in the hardware forum I think, but be sure to include information about the Windows version that you are running.


----------

