HijackThis error?

Question

SilentBob3208 0 Junior Poster

19 Years Ago

I was running hijackthis earlier this morning and as it was scanning this error message popped up...

An unexpected error has occurred at procedure: modMain_FixUNIXHostsFile()
Error #62 - Input past end of file
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows 9x 4.90.3000
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.2

I was unable to get a log and unfortunately I do not have a past log. What exactly does this mean and how can I fix it?

windows-virus

5 Contributors
32 Replies
688 Views
2 Weeks Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

DMR 152 Wombat At Large

19 Years Ago

Did you delete the entire contents of your C:\Windows\Temp folder as I instructed earlier? Your last log didn't have the " O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall" entry responsible for firing up the TEMP\SE.DLL file.

Unfortunately, your log does show another new nasty, aside from the rqyokv.exe entry crunchie mentioned:

O4 - Startup: tfypnk.exe

You should have HJT fix that entry and then locate and delete the tfypnk.exe file before posting the new log.

crunchie 990 Most Valuable Poster

19 Years Ago

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\SYSTEM\owprt400.dll
C:\WINDOWS\SYSTEM\mpwstr10.dll
C:\WINDOWS\SYSTEM\jjdw400.dll
C:\WINDOWS\SYSTEM\rpgwizc.dll
C:\WINDOWS\SYSTEM\wlashext.dll
C:\WINDOWS\SYSTEM\co60pprt.dll
C:\WINDOWS\SYSTEM\mtdamg9x.dll
C:\WINDOWS\SYSTEM\mucd30.dll
C:\WINDOWS\SYSTEM\wpploc.dll
C:\WINDOWS\SYSTEM\hldci.dll
C:\WINDOWS\SYSTEM\oedbse32.dll
C:\WINDOWS\SYSTEM\mjawt.dll
C:\WINDOWS\SYSTEM\wsaupd98.dll
C:\WINDOWS\SYSTEM\nntos.dll
C:\WINDOWS\SYSTEM\crmctl32.dll
C:\WINDOWS\SYSTEM\cqm.dll
C:\WINDOWS\SYSTEM\cw60dr32.dll
C:\WINDOWS\SYSTEM\mwnsspc.dll
C:\WINDOWS\SYSTEM\ekshared.dll
C:\WINDOWS\SYSTEM\nncpl.dll
C:\WINDOWS\SYSTEM\umbui.dll
C:\WINDOWS\SYSTEM\nldd32.dll
C:\WINDOWS\SYSTEM\nuarch32.dll
C:\WINDOWS\SYSTEM\jrsh400.dll
C:\WINDOWS\SYSTEM\mlihnd.dll
C:\WINDOWS\SYSTEM\iisrmt.dll
C:\WINDOWS\SYSTEM\prpndi.dll
C:\WINDOWS\SYSTEM\vescript.dll
C:\WINDOWS\SYSTEM\lpxlmtmp.dll
C:\WINDOWS\SYSTEM\malocusr.dll
C:\WINDOWS\SYSTEM\nq3400.dll
C:\WINDOWS\SYSTEM\mjafd.dll
C:\WINDOWS\SYSTEM\cwmctl32.dll
C:\WINDOWS\SYSTEM\yca4ou~1.dll
C:\WINDOWS\SYSTEM\vlodec32.dll
C:\WINDOWS\bszuai.dll
C:\WINDOWS\oigzpl.dll
C:\WINDOWS\rqyokv.exe
C:\WINDOWS\mssys.exe
C:\WINDOWS\SYSTEM\mssys.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {4A546A81-904E-458C-86F5-155FBED9B439} - C:\WINDOWS\SYSTEM\AMCAP.DLL (file missing)

O15 - Trusted IP range: 67.19.185.246 (HKLM)

O18 - Filter: text/html - {BFA52778-0CD4-4FEA-A726-F1CC12CFC318} - C:\WINDOWS\SYSTEM\AMCAP.DLL
O18 - Filter: text/plain - {BFA52778-0CD4-4FEA-A726-F1CC12CFC318} - C:\WINDOWS\SYSTEM\AMCAP.DLL

Download the zip file and unzip fixme.reg. Close all browser windows. Double click to run it and when asked if you want to merge with your registry, answer yes.

Reboot. Post another hijackthis log and a Find_it log.

Update hijackthis to version 1.99.1. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with zip files.

fixme.zip (0.27 KB)

DMR 152 Wombat At Large

19 Years Ago

... paste the full file path of each of the below files...

Crikey! Are there going to be any files left in the system folder after that?!

:D

crunchie 990 Most Valuable Poster

19 Years Ago

Sorry for the late reply. Somehow missed your thread.

Getting through them :).

Run Pocket Killbox again and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\SYSTEM\oj8648iecd.dll
C:\WINDOWS\SYSTEM\mkxs2yqi4s.dll
C:\WINDOWS\SYSTEM\psr3kedeo5.dll
C:\WINDOWS\SYSTEM\IGSRMT.DLL
C:\WINDOWS\SYSTEM\WHNETMGR.DLL
C:\WINDOWS\SYSTEM\JGVART.DLL
C:\WINDOWS\SYSTEM\ODETHK32.DLL
C:\WINDOWS\SYSTEM\WJAUPD98.DLL
C:\WINDOWS\ekatgn.dll
C:\WINDOWS\wxpmql.exe
C:\WINDOWS\SYSTEM\RVCRT4.DLL

Search for the following files on your PC, making sure that you can view hidden files and delete all instances of them.

VMSS----file
WSXSVC----file

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

First, Disconnect from the Internet!!

(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also have to re-install IE-SpyAd if installed.

Please post two more logs and let me know how your PC is.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

caperjack 875 I hate 20 Questions Team Colleague · Answer 1 · 2005-02-11T00:32:50+00:00

Try this:

Please download hoster from the link below.

http://members.aol.com/toadbee/hoster.zip

Open Hoster.exe.

Then click on "Restore Original Hosts"

Close program when complete.

Then reboot and post a new hijackthis log please

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 2 · 2005-02-11T16:20:38+00:00

Also, one of the stickies at the top of this forum has a link to the latest, self extracting version of hijackthis. Install that one and try again.

dlh6213 27 Posting Maven Team Colleague · Answer 3 · 2005-02-12T18:56:34+00:00

Also, one of the stickies at the top of this forum has a link to the latest, self extracting version of hijackthis. Install that one and try again.

Yes, the version of hijackthis you were running is an older one anyway; you should remove that and get this one as crunchie suggested:

http://www.merijn.org/files/hijackthis_sfx.exe

If you still have a problem, try running it in Safe Mode

SilentBob3208 0 Junior Poster · Answer 4 · 2005-02-15T01:51:33+00:00

No good on downloading HJT still get that error

DMR 152 Wombat At Large Team Colleague · Answer 5 · 2005-02-15T05:10:04+00:00

" Error #62 - Input past end of file" is a general program error which usually indicates that the program throwing the error (HJT, in this case) has encounted unexpected or incorrect information in the file it is trying to process/access/fix/modify. In the case of text files, the problem is often a corrupted or incorrect (and unfortunately, also invisible) end-of-line or end-of-file control character. In your case, the corruption might have been caused by the malware which originally altered your host file.

If the "hoster" utility cannot fix the problem, you can delete your current hosts file and create a fresh file using Windows Notepad (the hosts file is a simple plain-text file).

1. Delete the current hosts file. In Windows 9x/ME, the file lives in your C:\Windows folder.

2. Open a new text document in Notepad, and enter the following single line into the document:

127.0.0.1 localhost

3. Save the file as C:\Windows\hosts

4. When you save the file, Notepad will add a ".txt" extension to the filename. The hosts file must be named simply "hosts", without any extension, so after saving the file and closing Notepad, you'll need to go to the file and rename it by removing the .txt extension. You'll probably receive a message from Windows warning against changing a file's extension; choose to proceed with the change.

5. Right-click on the new hosts file and choose "Properties" from the context menu. In the General tab of the Porperties window, put a check mark in the "Read-only" Attribute box and then click OK to close the Properties window. Setting the read-only attribute can protect the file from future unwanted changes.

SilentBob3208 0 Junior Poster · Answer 6 · 2005-02-15T06:43:21+00:00

OK FINALLY I have been able to save a hijackthis log, and, here it is!

Logfile of HijackThis v1.99.0
Scan saved at 7:40:46 PM, on 2/14/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\NOTFI.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\SYSTEM\WER1316.DLL
O2 - BHO: (no name) - {B4AA0825-04DE-461C-9320-E60C09B5FA55} - C:\WINDOWS\SYSTEM\LEIPH.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {CAB3EA8C-4F56-4E9B-A4DA-A9DB6D61C863} - C:\WINDOWS\SYSTEM\LEIPH.DLL
O18 - Filter: text/plain - {CAB3EA8C-4F56-4E9B-A4DA-A9DB6D61C863} - C:\WINDOWS\SYSTEM\LEIPH.DLL

DMR 152 Wombat At Large Team Colleague · Answer 7 · 2005-02-15T07:35:48+00:00

1. The following 3 entries in your log indicate that you had instances of Internet Explorer running when you ran HJT:

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser(s)! HijackThis cannot fully perform its fixes while browsers are running.

2. Download about:Buster and unzip it to your Desktop. Double-click on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit.
Note: Do not actually have About:Buster scan yet; we're only making sure that the program has the most current updates in this step.

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files". Click Yes in the confirmation dialog, and then click OK to close the View Options window.

- Close all open programs, run HijackThis again, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\NOTFI.DLL (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\SYSTEM\WER1316.DLL
O2 - BHO: (no name) - {B4AA0825-04DE-461C-9320-E60C09B5FA55} - C:\WINDOWS\SYSTEM\LEIPH.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: text/html - {CAB3EA8C-4F56-4E9B-A4DA-A9DB6D61C863} - C:\WINDOWS\SYSTEM\LEIPH.DLL
O18 - Filter: text/plain - {CAB3EA8C-4F56-4E9B-A4DA-A9DB6D61C863} - C:\WINDOWS\SYSTEM\LEIPH.DLL

- Next, follow our member "crunchie"'s directions on running About:Buster:

Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive.

To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'.

Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted.

- After that, search for and delete the following files (note that HijackThis may already have delete some of the files):

C:\WINDOWS\NOTFI.DLL
C:\WINDOWS\SYSTEM\WER1316.DLL
C:\WINDOWS\SYSTEM\LEIPH.DLL

- Delete everything in your C:\Windows\Temp folder.

- Empty your Recycle Bin.

4. Reboot normally, run HiajckThis again, post the new log it generates, and also post the About:Buster log which you saved earlier.

SilentBob3208 0 Junior Poster · Answer 8 · 2005-02-16T00:37:15+00:00

Ok here are the HJT and A:B logs...

::HijackThis log::

Logfile of HijackThis v1.99.0
Scan saved at 1:30:32 PM, on 2/15/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/bobby's%20folder/blank.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

::About:Buster log::

Scanned at: 1:16:26 PM on: 2/15/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

SilentBob3208 0 Junior Poster · Answer 9 · 2005-02-17T00:05:38+00:00

A couple of notes, you asked me to get rid of this in HJT..

O15 - Trusted IP range: 67.19.185.246 (HKLM)

And as you see it appears again in the new log. I went to fix it again as directed, and everytime I try to fix this it keeps coming back. How do I get rid of this once and for all?

Also, Internet Explorer must still be affected because when I change my homepage to something other than about:blank, it keeps coming back later as about:blank and comes up as this search page. Also, when I check my E-Mail, that search page keeps coming up time after time.

DMR 152 Wombat At Large Team Colleague · Answer 10 · 2005-02-17T05:14:24+00:00

...and comes up as this search page. Also, when I check my E-Mail, that search page keeps coming up time after time.

I'm sorry, but I don't have time to respond in full right now.
Until I or one of our other members can respond again, can you give us some descriptive details of the exact search page that keeps coming back?

SilentBob3208 0 Junior Poster · Answer 11 · 2005-02-17T06:41:09+00:00

Well the best I can describe it is it has a gray bar that says Search for... at the top and with a bunch of different categories and usualy is asociated with a popup telling me my comp. is affected with spyware and such.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2005-02-17T16:07:55+00:00

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/bobby's%20folder/blank.html

Go to internet options in IE and hit the security Tab. Go into the trusted zone section and delete the entry from there.

Do you have anything disabled in msconfig? There does not appear to be anything else showing in your log.

SilentBob3208 0 Junior Poster · Answer 13 · 2005-02-18T01:13:03+00:00

Everything is checked in msconfig. Also, I have a updated HJT log...

Logfile of HijackThis v1.99.0
Scan saved at 2:08:55 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RQYOKV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rqyokv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: tfypnk.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 14 · 2005-02-18T18:04:03+00:00

Try this tool from Symantec;

http://securityresponse.symantec.com/avcenter/FxSpL2Me.exe

Then please do the following;

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE

Go to C:\WINDOWS and delete the file manually.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\rqyokv.exe

O15 - Trusted IP range: 67.19.185.246 (HKLM)

Reboot and delete the aklsp.dll file from the c:\windows\system folder.

Post a new log please.

SilentBob3208 0 Junior Poster · Answer 15 · 2005-02-19T01:23:28+00:00

Ok, I am unable to post a new log because just as the scan finishes the program crashes now. Also, I failed to mention this yesterday, when I click ctrl alt delete to see what programs are running, there is a Rundll32 that always shows up, sometimes twice. It's path is runndll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall. And usually when Rundll32 runs in the background Iexplore runs even when I have IE closed and some other unknown programs begin running in the back and startup, I usually have to go disable those unknown programs from running on startup in my Starter program. Also, explorer usually runs on startup when I first turn on the computer but since this morning it hasn't.

SilentBob3208 0 Junior Poster · Answer 16 · 2005-02-19T04:40:38+00:00

Quote from Crunchie: " Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE"

that file does not appear there, but, do you want to see the programs on that list?

Also, I did clear out the TEMP folder, and HJT still crashes when it scans. Also, I have Spybot S&D and it also crashed when i tried to fix the problems it had detected...

caperjack 875 I hate 20 Questions Team Colleague · Answer 17 · 2005-02-19T05:34:44+00:00

Quote from Crunchie: " Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
RQYOKV.EXE"
that file does not appear there, but, do you want to see the programs on that list?
Also, I did clear out the TEMP folder, and HJT still crashes when it scans. Also, I have Spybot S&D and it also crashed when i tried to fix the problems it had detected...

It should be there its in the top part of your last hijack log .shown in red below ,
,
,,,,,,,,,,,,,,,,,,,,,

Logfile of HijackThis v1.99.0
Scan saved at 2:08:55 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RQYOKV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

SilentBob3208 0 Junior Poster · Answer 18 · 2005-02-19T05:39:18+00:00

SilentBob3208 0 Junior Poster

19 Years Ago

Well for some odd reason it is not there

caperjack 875 I hate 20 Questions Team Colleague · Answer 19 · 2005-02-19T06:00:20+00:00

Well for some odd reason it is not there

That is odd!
Run hijackthis again and post new log

SilentBob3208 0 Junior Poster · Answer 20 · 2005-02-19T06:23:10+00:00

Ok, I am unable to post a new log because just as the scan finishes the program crashes now.

Still holds true :-|

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 21 · 2005-02-19T11:42:36+00:00

Try changing either the file name of hijackthis, or change it's directory and see if it will create a log then.

SilentBob3208 0 Junior Poster · Answer 22 · 2005-02-21T05:57:34+00:00

OK I was finally able to get a HJT log and here it is...

Logfile of HijackThis v1.99.0
Scan saved at 6:52:32 PM, on 2/20/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {BE8B391A-F198-4DF1-8560-2D51C62B90D3} - C:\WINDOWS\SYSTEM\AMCAP.DLL
O18 - Filter: text/plain - {BE8B391A-F198-4DF1-8560-2D51C62B90D3} - C:\WINDOWS\SYSTEM\AMCAP.DLL

Also, when I was on the computer today I recieved this message...

"Runtime Error!

Program: C:\WINDOWS\EXPLORER.EXE

This application had requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information."

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 23 · 2005-02-21T16:45:56+00:00

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

O15 - Trusted IP range: 67.19.185.246 (HKLM)

O18 - Filter: text/html - {BE8B391A-F198-4DF1-8560-2D51C62B90D3} - C:\WINDOWS\SYSTEM\AMCAP.DLL
O18 - Filter: text/plain - {BE8B391A-F198-4DF1-8560-2D51C62B90D3} - C:\WINDOWS\SYSTEM\AMCAP.DLL

Delete the following file;

C:\WINDOWS\SYSTEM\AMCAP.DLL<----file

Reboot.

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Another hijackthis log too please.

SilentBob3208 0 Junior Poster · Answer 24 · 2005-02-22T00:57:53+00:00

OK here are the new logs...

**Hijackthis**


Logfile of HijackThis v1.99.0
Scan saved at 1:53:10 PM, on 2/21/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\N20050308.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\SBC\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HJT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4A546A81-904E-458C-86F5-155FBED9B439} - C:\WINDOWS\SYSTEM\AMCAP.DLL (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {BFA52778-0CD4-4FEA-A726-F1CC12CFC318} - C:\WINDOWS\SYSTEM\AMCAP.DLL
O18 - Filter: text/plain - {BFA52778-0CD4-4FEA-A726-F1CC12CFC318} - C:\WINDOWS\SYSTEM\AMCAP.DLL


**FindIt output.txt log**


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM


OWPRT400 DLL       222,568  02-16-05 11:55p OWPRT400.DLL
MPWSTR10 DLL       222,568  02-16-05 11:55p MPWSTR10.DLL
JJDW400  DLL       222,568  02-16-05 11:55p JJDW400.DLL
RPGWIZC  DLL       222,568  02-16-05 11:55p RPGWIZC.DLL
WLASHEXT DLL       222,568  02-16-05 11:55p WLASHEXT.DLL
CO60PPRT DLL       222,568  02-16-05 11:55p CO60PPRT.DLL
MTDAMG9X DLL       222,568  02-16-05 11:55p MTDAMG9X.DLL
MUCD30   DLL       222,568  02-16-05 11:55p MUCD30.DLL
WPPLOC   DLL       222,568  02-16-05 11:55p WPPLOC.DLL
HLDCI    DLL       222,568  02-16-05 11:55p HLDCI.DLL
OEDBSE32 DLL       222,568  02-16-05 11:55p OEDBSE32.DLL
MJAWT    DLL       222,568  02-16-05 11:55p MJAWT.DLL
WSAUPD98 DLL       222,568  02-16-05 11:55p WSAUPD98.DLL
NNTOS    DLL       222,568  02-16-05 11:55p NNTOS.DLL
CRMCTL32 DLL       222,568  02-16-05 11:55p CRMCTL32.DLL
CQM      DLL       222,568  02-16-05 11:55p CQM.DLL
CW60DR32 DLL       222,568  02-16-05 11:55p CW60DR32.DLL
MWNSSPC  DLL       222,568  02-16-05 11:55p MWNSSPC.DLL
EKSHARED DLL       222,568  02-16-05 11:55p EKSHARED.DLL
NNCPL    DLL       222,568  02-16-05 11:55p NnCpl.dll
UMBUI    DLL       222,568  02-16-05 11:55p UMBUI.DLL
NLDD32   DLL       222,568  02-16-05 11:55p nldd32.dll
NUARCH32 DLL       222,568  02-16-05 11:55p nuarch32.dll
JRSH400  DLL       222,568  02-16-05 11:55p JRSH400.DLL
MLIHND   DLL       222,568  02-16-05 11:55p mlihnd.dll
IISRMT   DLL       222,568  02-16-05 11:55p IISRMT.DLL
PRPNDI   DLL       222,568  02-16-05 11:55p PRPNDI.DLL
VESCRIPT DLL       222,568  02-16-05 11:55p vescript.dll
LPXLMTMP DLL       222,568  02-16-05 11:55p LPXLMTMP.DLL
MALOCUSR DLL       222,568  02-16-05 11:55p MALOCUSR.DLL
NQ3400   DLL       222,568  02-16-05 11:55p nq3400.dll
MJAFD    DLL       222,568  02-16-05 11:55p MJAFD.DLL
CWMCTL32 DLL       222,568  02-16-05 11:55p CWMCTL32.DLL
YCA4OU~1 DLL       222,568  02-16-05 11:55p yca4ou3ozd.dll
VLODEC32 DLL       222,568  02-16-05 11:55p VLODEC32.DLL
35 file(s)      7,789,880 bytes
0 dir(s)       19,422.00 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM


VMSS           <DIR>        02-17-05 12:55p vmss
WSXSVC         <DIR>        02-17-05 12:55p wsxsvc
MKXS2Y~1 DLL        32,256  02-16-05 11:31p mkxs2yqi4s.dll
PSR3KE~1 DLL        32,256  02-16-05 11:31p psr3kedeo5.dll
OJ8648~1 DLL        32,256  02-09-05 10:53p oj8648iecd.dll
FOLDER   HTT        23,155  06-20-00  4:37p folder.htt
DESKTOP  INI           271  06-20-00  4:37p desktop.ini
5 file(s)        120,194 bytes
2 dir(s)       19,421.98 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D6830176-AAD7-4AD0-BAE9-42F5771B651A}"=""


------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
owprt400.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mpwstr10.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
jjdw400.dll    Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
rpgwizc.dll    Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
wlashext.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
co60pprt.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mtdamg9x.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mucd30.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
wpploc.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
hldci.dll      Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
oedbse32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mjawt.dll      Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
wsaupd98.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
nntos.dll      Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
crmctl32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
cqm.dll        Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
cw60dr32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mwnsspc.dll    Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
oj8648~1.dll   Wed Feb  9 2005  10:53:14p  ...H.         32,256    31.50 K
ekshared.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
psr3ke~1.dll   Wed Feb 16 2005  11:31:12p  ...H.         32,256    31.50 K
mkxs2y~1.dll   Wed Feb 16 2005  11:31:22p  ...H.         32,256    31.50 K
nncpl.dll      Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
umbui.dll      Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
nldd32.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
nuarch32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
jrsh400.dll    Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mlihnd.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
iisrmt.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
prpndi.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
vescript.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
lpxlmtmp.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
malocusr.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
nq3400.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
mjafd.dll      Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
cwmctl32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
yca4ou~1.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
vlodec32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K


38 items found:  38 files, 0 directories.
Total of file sizes:  7,886,648 bytes      7.52 M


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\bszuai.dll: updates.qoologic.com
C:\WINDOWS\oigzpl.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\nire.exe: .aspack
C:\WINDOWS\rqyokv.exe: .aspack
C:\WINDOWS\mssys.exe: .aspack
C:\WINDOWS\installer.exe: .aspack
C:\WINDOWS\SYSTEM\pav.sig: AsPack
C:\WINDOWS\SYSTEM\mssys.exe: .aspack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\OWPRT400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPWSTR10.DLL: UMonitor
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\JJDW400.DLL: UMonitor
C:\WINDOWS\SYSTEM\RPGWIZC.DLL: UMonitor
C:\WINDOWS\SYSTEM\WLASHEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\CO60PPRT.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTDAMG9X.DLL: UMonitor
C:\WINDOWS\SYSTEM\MUCD30.DLL: UMonitor
C:\WINDOWS\SYSTEM\WPPLOC.DLL: UMonitor
C:\WINDOWS\SYSTEM\HLDCI.DLL: UMonitor
C:\WINDOWS\SYSTEM\OEDBSE32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MJAWT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WSAUPD98.DLL: UMonitor
C:\WINDOWS\SYSTEM\NNTOS.DLL: UMonitor
C:\WINDOWS\SYSTEM\CRMCTL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\CQM.DLL: UMonitor
C:\WINDOWS\SYSTEM\CW60DR32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWNSSPC.DLL: UMonitor
C:\WINDOWS\SYSTEM\EKSHARED.DLL: UMonitor
C:\WINDOWS\SYSTEM\NnCpl.dll: UMonitor
C:\WINDOWS\SYSTEM\UMBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\nldd32.dll: UMonitor
C:\WINDOWS\SYSTEM\nuarch32.dll: UMonitor
C:\WINDOWS\SYSTEM\JRSH400.DLL: UMonitor
C:\WINDOWS\SYSTEM\mlihnd.dll: UMonitor
C:\WINDOWS\SYSTEM\IISRMT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PRPNDI.DLL: UMonitor
C:\WINDOWS\SYSTEM\vescript.dll: UMonitor
C:\WINDOWS\SYSTEM\LPXLMTMP.DLL: UMonitor
C:\WINDOWS\SYSTEM\MALOCUSR.DLL: UMonitor
C:\WINDOWS\SYSTEM\nq3400.dll: UMonitor
C:\WINDOWS\SYSTEM\MJAFD.DLL: UMonitor
C:\WINDOWS\SYSTEM\CWMCTL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\yca4ou3ozd.dll: UMonitor
C:\WINDOWS\SYSTEM\VLODEC32.DLL: UMonitor

SilentBob3208 0 Junior Poster · Answer 25 · 2005-02-23T01:37:21+00:00

Here are the new logs...

***Hijackthis***


Logfile of HijackThis v1.99.1
Scan saved at 2:33:33 PM, on 2/22/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)


Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/bobby's%20folder/blank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab


***Findit***


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM


IGSRMT   DLL       222,568  02-16-05 11:55p IGSRMT.DLL
WHNETMGR DLL       222,568  02-16-05 11:55p WHNETMGR.DLL
JGVART   DLL       222,568  02-16-05 11:55p JGVART.DLL
ODETHK32 DLL       222,568  02-16-05 11:55p ODETHK32.DLL
WJAUPD98 DLL       222,568  02-16-05 11:55p WJAUPD98.DLL
5 file(s)      1,112,840 bytes
0 dir(s)       19,211.14 MB free


------- System Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM


IGSRMT   DLL       222,568  02-16-05 11:55p IGSRMT.DLL
WHNETMGR DLL       222,568  02-16-05 11:55p WHNETMGR.DLL
JGVART   DLL       222,568  02-16-05 11:55p JGVART.DLL
ODETHK32 DLL       222,568  02-16-05 11:55p ODETHK32.DLL
WJAUPD98 DLL       222,568  02-16-05 11:55p WJAUPD98.DLL
5 file(s)      1,112,840 bytes
0 dir(s)       19,247.06 MB free


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM


VMSS           <DIR>        02-17-05 12:55p vmss
WSXSVC         <DIR>        02-17-05 12:55p wsxsvc
MKXS2Y~1 DLL        32,256  02-16-05 11:31p mkxs2yqi4s.dll
PSR3KE~1 DLL        32,256  02-16-05 11:31p psr3kedeo5.dll
OJ8648~1 DLL        32,256  02-09-05 10:53p oj8648iecd.dll
FOLDER   HTT        23,155  06-20-00  4:37p folder.htt
DESKTOP  INI           271  06-20-00  4:37p desktop.ini
5 file(s)        120,194 bytes
2 dir(s)       19,211.13 MB free


---------------- User Agent ------------


------- Hidden Files in System Directory -------



Volume in drive C has no label
Volume Serial Number is 2356-11E6
Directory of C:\WINDOWS\SYSTEM


VMSS           <DIR>        02-17-05 12:55p vmss
WSXSVC         <DIR>        02-17-05 12:55p wsxsvc
MKXS2Y~1 DLL        32,256  02-16-05 11:31p mkxs2yqi4s.dll
PSR3KE~1 DLL        32,256  02-16-05 11:31p psr3kedeo5.dll
OJ8648~1 DLL        32,256  02-09-05 10:53p oj8648iecd.dll
FOLDER   HTT        23,155  06-20-00  4:37p folder.htt
DESKTOP  INI           271  06-20-00  4:37p desktop.ini
5 file(s)        120,194 bytes
2 dir(s)       19,247.06 MB free


---------------- User Agent ------------


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D6830176-AAD7-4AD0-BAE9-42F5771B651A}"=""


------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
oj8648~1.dll   Wed Feb  9 2005  10:53:14p  ...H.         32,256    31.50 K
psr3ke~1.dll   Wed Feb 16 2005  11:31:12p  ...H.         32,256    31.50 K
mkxs2y~1.dll   Wed Feb 16 2005  11:31:22p  ...H.         32,256    31.50 K
igsrmt.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
whnetmgr.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
jgvart.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
odethk32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
wjaupd98.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K


8 items found:  8 files, 0 directories.
Total of file sizes:  1,209,608 bytes      1.15 M


------------------ Locate.com Results ------------------


C:\WINDOWS\SYSTEM\
oj8648~1.dll   Wed Feb  9 2005  10:53:14p  ...H.         32,256    31.50 K
psr3ke~1.dll   Wed Feb 16 2005  11:31:12p  ...H.         32,256    31.50 K
mkxs2y~1.dll   Wed Feb 16 2005  11:31:22p  ...H.         32,256    31.50 K
igsrmt.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
whnetmgr.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
jgvart.dll     Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
odethk32.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K
wjaupd98.dll   Wed Feb 16 2005  11:55:50p  ..S.R        222,568   217.35 K


8 items found:  8 files, 0 directories.
Total of file sizes:  1,209,608 bytes      1.15 M


------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\ekatgn.dll: excl_urls=onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,us.i1.yimg.com,cdn.comcast.net,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,mediaplex.com,altfarm.mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,cdn.aim.com,fxfeeds.mozilla.org,alwaysupdatednews.com,adv.eblocs.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,z1.adserver.com,falkag.net,as-us.falkag.net,a.as-us.falkag.net,a1.yimg.com,yimg.com,trafficmp.com,us.a1.yimg.com,aaabesthomepage.com,ads.exitexchange.com,t.trafficmp.com,clicktrk.com,pan-advert.com,loadingwebsite.com,server.iad.liveperson.net,ezula.com,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,counters.honesty.com,oz.valueclick.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,qksrv.net,us.update.companion.yahoo.com,kill-pop-ups.com,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,allaboutsearching.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,topicks.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,webpdp.gator.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,popuppers.com,as.adwave.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ads1.revenue.net,updates.qoologic.com,ad.trafficmp.com,jicmedia.cjt1.net,weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,cdn.icq.com,adserv1.gruvmedia.com,tv.180solutions.com,s.clkoptimizer.com,banners.pennyweb.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,sr.websearch.com,messenger.msn.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,clickit.go2net.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,yahoo.com,microsoft.com,target.com,aol.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,creativeby.viewpoint.com,ekmas.com,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,host239.ipowerweb.com,popups.ad-logics.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,as.casalemedia.com,ad.doubleclick.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com,
C:\WINDOWS\wxpmql.exe: updates.qoologic.com
------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\USER.DAT: qoologic.com
C:\WINDOWS\ekatgn.dll: excl_urls=onemoresearch.net,update32.searchmiracle.com,atdmt.com,switch.atdmt.com,js1.yimg.com,us.js1.yimg.com,us.yimg.com,us.i1.yimg.com,cdn.comcast.net,goldenpalace.com,banner.goldenpalace.com,msads.net,global.msads.net,topmoxie.com,mediaplex.com,altfarm.mediaplex.com,maxserving.com,c4.maxserving.com,ar.atwola.com,cdn.aim.com,fxfeeds.mozilla.org,alwaysupdatednews.com,adv.eblocs.com,v8.alwaysupdatednews.com,login.passport.net,pagead2.googlesyndication.com,ads.inet1.com,loginnet.passport.com,z1.adserver.com,falkag.net,as-us.falkag.net,a.as-us.falkag.net,a1.yimg.com,yimg.com,trafficmp.com,us.a1.yimg.com,aaabesthomepage.com,ads.exitexchange.com,t.trafficmp.com,clicktrk.com,pan-advert.com,loadingwebsite.com,server.iad.liveperson.net,ezula.com,u.clkoptimizer.com,adsv2.delfinproject.com,popup.msn.com,ads2.revenue.net,i.emarketresearchgroup.com,counters.honesty.com,oz.valueclick.com,ads.bidclix.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickspring.net,qksrv.net,us.update.companion.yahoo.com,kill-pop-ups.com,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,popuptraffic.com,paypopup.com,cdn-cf.aol.com,by.optimost.com,hotmail.msn.com,adfarm.mediaplex.com,allaboutsearching.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,hotmail.com,master.mx-targeting.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,topicks.com,jmnad1.com,pgq.yahoo.com,stopzilla.com,ayb.lop.com,webpdp.gator.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,popuppers.com,as.adwave.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ads1.revenue.net,updates.qoologic.com,ad.trafficmp.com,jicmedia.cjt1.net,weatherbug.com,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,www4.yesadvertising.com,bannerserver.gator.com,rightmedia.net,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,wwp.icq.com,smileycentral.com,messenger.zango.com,cdn.icq.com,adserv1.gruvmedia.com,tv.180solutions.com,s.clkoptimizer.com,banners.pennyweb.com,pops.browseraid.com,adserv.internetfuel.com,download.abetterinternet.com,sr.websearch.com,messenger.msn.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,windowsupdate.microsoft.com,adverts.lzio.com,clickit.go2net.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,web.icq.com,trk.pcsecurityshield.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,anrdoezrs.net,yahoo.com,microsoft.com,target.com,aol.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,creativeby.viewpoint.com,ekmas.com,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,host239.ipowerweb.com,popups.ad-logics.com,adlog2.lzio.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,m3.doubleclick.net,as.casalemedia.com,ad.doubleclick.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,banners.searchingbooth.com,passportimages.com,stats.eblocs.com,media.deskwizz.com,c1.zedo.com,photobucket.com,
C:\WINDOWS\wxpmql.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic


-------------- Strings.exe Aspack Results -------------


C:\WINDOWS\nire.exe: .aspack
C:\WINDOWS\installer.exe: .aspack
C:\WINDOWS\bgqyvw.dat: .aspack
C:\WINDOWS\SYSTEM\pav.sig: AsPack


----------------- HKLM Run Key ------------------


-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\IGSRMT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WHNETMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JGVART.DLL: UMonitor
C:\WINDOWS\SYSTEM\ODETHK32.DLL: UMonitor
C:\WINDOWS\SYSTEM\WJAUPD98.DLL: UMonitor


-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\RVCRT4.DLL: UMonitor
C:\WINDOWS\SYSTEM\IGSRMT.DLL: UMonitor
C:\WINDOWS\SYSTEM\WHNETMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\JGVART.DLL: UMonitor
C:\WINDOWS\SYSTEM\ODETHK32.DLL: UMonitor
C:\WINDOWS\SYSTEM\WJAUPD98.DLL: UMonitor


REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"

One note, the entry in HJT "O15 - Trusted IP range: 67.19.185.246 (HKLM)" just does not want to go away! I tried to fix this numerous times but to no avail.