[Michelle]

Is there anything in the folder where you unzipped it?

[Advertisements]

First, we need to disable TeaTimer, temporarily. Otherwise, it could interfere with cleaning your system.
* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS in bottom lefthand corner.
* Click on SYSTEM STARTUP.
* Uncheck Teatimer.
* Click ALLOW CHANGE.
* We will enable Teatimer after your system is clean.

*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

*Click the "Go" button.
*On the right-hand side it will load all of your BHOs (you'll just see a bunch of numbers)
*Locate the following entry:

E576D693-A492-4DD7-9B6F-ABC61C937606

*Right click on this one and go to "Delete" (doublecheck to make sure you're only deleting the entry above!).
*If you can not fnd this number do not delete anything.
*Exit Registrar Lite.

*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! make sure there is no space before or after the file path - I would just copy each file path and paste it in the field):

c:\windows\TEMP\se.dll
C:\WINDOWS\SYSTEM\LFM.DLL

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the last file path I have listed above. After that last file path has been entered press the YES button at both prompts so that your computer restarts.

While it's restarting, tap the F8 key to boot it into Safe Mode.

While in Safe Mode follow the instructions below:

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run SpyBot Search & Destroy

Then, while still in Safe Mode:

Make sure all programs and windows are closed. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E576D693-A492-4DD7-9B6F-ABC61C937606} - C:\WINDOWS\SYSTEM\LFM.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {510AA307-3F3E-4E21-AB66-9C0007749B96} - C:\WINDOWS\SYSTEM\LFM.DLL
O18 - Filter: text/plain - {510AA307-3F3E-4E21-AB66-9C0007749B96} - C:\WINDOWS\SYSTEM\LFM.DLL

Reboot into normal mode and post a new HiJackThis log.

If this doesn't work and we can't get Find.bat to work, we're going to have to go into your system folder and find the nasty files!

[Michelle]

First, we need to disable TeaTimer, temporarily. Otherwise, it could interfere with cleaning your system.
* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS in bottom lefthand corner.
* Click on SYSTEM STARTUP.
* Uncheck Teatimer.
* Click ALLOW CHANGE.
* We will enable Teatimer after your system is clean.

*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

*Click the "Go" button.
*On the right-hand side it will load all of your BHOs (you'll just see a bunch of numbers)
*Locate the following entry:

E576D693-A492-4DD7-9B6F-ABC61C937606

*Right click on this one and go to "Delete" (doublecheck to make sure you're only deleting the entry above!).
*If you can not fnd this number do not delete anything.
*Exit Registrar Lite.

*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! make sure there is no space before or after the file path - I would just copy each file path and paste it in the field):

c:\windows\TEMP\se.dll
C:\WINDOWS\SYSTEM\LFM.DLL

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the last file path I have listed above. After that last file path has been entered press the YES button at both prompts so that your computer restarts.

While it's restarting, tap the F8 key to boot it into Safe Mode.

While in Safe Mode follow the instructions below:

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run SpyBot Search & Destroy

Then, while still in Safe Mode:

Make sure all programs and windows are closed. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {E576D693-A492-4DD7-9B6F-ABC61C937606} - C:\WINDOWS\SYSTEM\LFM.DLL

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O18 - Filter: text/html - {510AA307-3F3E-4E21-AB66-9C0007749B96} - C:\WINDOWS\SYSTEM\LFM.DLL
O18 - Filter: text/plain - {510AA307-3F3E-4E21-AB66-9C0007749B96} - C:\WINDOWS\SYSTEM\LFM.DLL

Reboot into normal mode and post a new HiJackThis log.

If this doesn't work and we can't get Find.bat to work, we're going to have to go into your system folder and find the nasty files!

[electrochimp]

Hi

in the Findlt9xME there was " Findlt9xME "," Locate " and " Strings"

[Michelle]

Click on Findit9XME (is it a folder?) Find.bat should be inside that.

[electrochimp]

Could it be Findit~1.BAT ?
CWShredder still wants OLEACC.DLL

[Michelle]

yes go ahead and click on Findit~1.BAT and hopefully it will let you run it!!

It's really not going to be fun if we have to manually look for these files in the system folder!

[electrochimp]

Hi Bananafanfo!
Hopefully this is what we're looking for!


------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 2,156,568,576 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 2,081,423,360 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 2,054,184,960 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 2,030,874,624 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 2,032,214,016 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 2,014,797,824 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 1,999,314,944 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 1,901,125,632 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 1,850,716,160 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 1,821,163,520 bytes free

------- System Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
2 file(s) 8,696 bytes
0 dir(s) 1,848,446,976 bytes free

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 2,156,564,480 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 2,081,423,360 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 2,054,184,960 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 2,030,854,144 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 2,032,214,016 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 2,014,797,824 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 1,999,314,944 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 1,901,125,632 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 1,850,712,064 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 1,821,163,520 bytes free

---------------- User Agent ------------

------- Hidden Files in System Directory -------


Volume in drive C is APTIVA
Volume Serial Number is 2B70-14D8
Directory of C:\WINDOWS\SYSTEM

DRMV1 BAK 4,348 08-07-02 12:33a DRMv1.bak
DRMV1 KEY 4,348 08-07-02 12:33a DRMv1.key
ATI64DEF GID 12,906 07-18-97 1:20a ati64def.GID
3 file(s) 21,602 bytes
0 dir(s) 1,848,446,976 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"sureseeker.com"="sureseeker.com"


------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\LPT$VPN.596: TROJ_QOOLOGIC.G
C:\WINDOWS\LPT$VPN.596: TROJ_QOOLOGIC.C
C:\WINDOWS\LPT$VPN.596: TROJ_QOOLOGIC.B
C:\WINDOWS\LPT$VPN.596: TROJ_QOOLOGIC.A
C:\WINDOWS\VPTNFILE.596: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.596: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.596: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.596: TROJ_QOOLOGIC.A
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------
-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"BrowserWebCheck"="loadwc.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"sp"="rundll32 C:\\WINDOWS\\TEMP\\SE.DLL,DllInstall"




[Michelle]

Ok I think I'm going to have to ask some other staff members to see what they think. I'm running low on ideas here. The only thing I can think of is you going into the System folder then giving me the names of files (hidden and not) from the last month or so. I'll get back to you.

Edited by bananafanafo, 24 April 2005 - 08:25 PM.

[electrochimp]

Hi here is the laest online HJT

Logfile of HijackThis v1.99.1
Scan saved at 7:37:47 PM, on 4/24/05
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COOKIE WASHER\AOLWASHER.EXE
C:\IBMAV95\IBMAVTIM.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\IMSI\WD30\RUNDLG.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\ID\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\IBMAV95\STARTTIM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {81981788-B812-4BAD-B919-EFAA76B8956F} - C:\WINDOWS\SYSTEM\EEPA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [ccWasher] C:\Program Files\Cookie Washer\aolwasher.exe /0
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: WinDelete Shell Extension.lnk = C:\IMSI\WD30\RUNDLG.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: STRINGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .xls: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL
O18 - Filter: text/plain - {8EBDB99A-1B09-4D73-83DD-C892CD1D6151} - C:\WINDOWS\SYSTEM\EEPA.DLL

[Michelle]

What would you like to do? We can keep doing what we've been doing, but it's not going to go away because there is a hidden file that we need to get rid of. Do you know how to go into your system folder and index the files by date?

Edited by bananafanafo, 28 April 2005 - 12:18 AM.

[electrochimp]

Hi
I'm not sure If I know how to do that..would it be in the manual? Thank you
here is a log.. right now it seems to run a bit slow but it works..


except now ..it copys but no paste....

[Michelle]

OK, lets see if this works:

Using Windows Explorer, Go into C:\Windows\System

At the top, there should be a button for "View" if you click on it, there should be something that says "choose details" or something similar. Put a checkmark next to "Date Created" Click OK, then go back up to "View", then go to "Arrange icons by" > "created". Of course, since this is windows 95 it may be different from this, but hopefully about the same.

[electrochimp]

Hi
I think I'm getting into where they list the files under "system" and can list them by date. What are we looking for .a certain type of file? Thanks

[Michelle]

most likely .dll files from maybe the last month or 2 (if you see any recent exe files and don't know what they are you can list those too). Just list the names of the files. Hopefully there won't be that many!

[Michelle]

OK, we're going to try this too:

Please download dllcompare

* Right click on your desktop, click new, folder, and name it dllcompare
* When it has downloaded, run the program and click on the Run Locate.com button.
* When that has completed, click on the compare button.
* Files in the upper portion have been verified to "exist" as
where Files in the bottom section have some form of problem being accessed.
* Click on any of the listed entries to select it.. Right click the mouse and use the Option Rescan
* When that's completed click on the Make a Log button.
* Then post the contents of that log.