Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

TROJ_STARTPAG.RE Virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

TROJ_STARTPAG.RE Virus

Unread postby Frank Molland » September 6th, 2005, 7:19 am

I have recently been infected by the "TROJAN_STARTPAG.RE" virus and have tried to clear it using my AV Security set up (TREND Micro) and despite the fact that the virus has been quarantined I cant find it in the quarantine file. The first indication of infection was a complete change of my start page characteristics. Now every time I start up Trend Micro tells me its quarantined a new virus and the infected file name. I am able to delete these files but new ones are immediately found. They are usually .DLL or.dll files. I have also noted a lot of .EXE files being added to my Start up in a check of msconfig settings. Trend Micro say that PCCillin will only pick up "Viruses" and not "Hijackers" which attack internet settings. I have performed my first HighjackThis log which seems to have confirmed the above, it is shown below.

Logfile of HijackThis v1.99.1
Scan saved at 11:27:45, on 06/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SDKWQ32.EXE
C:\WINDOWS\NETCL32.EXE
C:\WINDOWS\ADDRZ32.EXE
C:\WINDOWS\SYSTEM\WINRW.EXE
C:\WINDOWS\NETFC.EXE
C:\WINDOWS\SYSTEM\NETPM32.EXE
C:\WINDOWS\SYSTEM\CRLY32.EXE
C:\WINDOWS\APICI32.EXE
C:\WINDOWS\IEIX32.EXE
C:\WINDOWS\SYSTEM\D3CD32.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\JAVAMF32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\WINDOWS\SYSTEM\D3CD32.EXE
C:\WINDOWS\SYSTEM\SDKWQ32.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\JAVATW.EXE
C:\WINDOWS\SYSTEM\JAVATW.EXE
C:\WINDOWS\APICD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\ATLIJ32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ATLIJ32.EXE
C:\WINDOWS\SYSTEM\CRHN32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {B4A6A6BE-1BCD-88D2-EF06-9D18DF8A0E2A} - C:\WINDOWS\SYSTEM\MFCBG.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [JAVAMF32.EXE] C:\WINDOWS\JAVAMF32.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SDKWQ32.EXE] C:\WINDOWS\SYSTEM\SDKWQ32.EXE /s
O4 - HKLM\..\RunServices: [NETCL32.EXE] C:\WINDOWS\NETCL32.EXE /s
O4 - HKLM\..\RunServices: [ADDRZ32.EXE] C:\WINDOWS\ADDRZ32.EXE /s
O4 - HKLM\..\RunServices: [WINRW.EXE] C:\WINDOWS\SYSTEM\WINRW.EXE /s
O4 - HKLM\..\RunServices: [NETFC.EXE] C:\WINDOWS\NETFC.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\SYSTEM\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [CRLY32.EXE] C:\WINDOWS\SYSTEM\CRLY32.EXE /s
O4 - HKLM\..\RunServices: [APICI32.EXE] C:\WINDOWS\APICI32.EXE /s
O4 - HKLM\..\RunServices: [IEIX32.EXE] C:\WINDOWS\IEIX32.EXE /s
O4 - HKLM\..\RunServices: [D3CD32.EXE] C:\WINDOWS\SYSTEM\D3CD32.EXE /s
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [JAVATW.EXE] C:\WINDOWS\SYSTEM\JAVATW.EXE /s
O4 - HKLM\..\RunServices: [APICD.EXE] C:\WINDOWS\APICD.EXE /s
O4 - HKLM\..\RunServices: [ATLIJ32.EXE] C:\WINDOWS\SYSTEM\ATLIJ32.EXE /s
O4 - HKLM\..\RunServices: [CRHN32.EXE] C:\WINDOWS\SYSTEM\CRHN32.EXE /s
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/4be4fef7/enter.cab

I am not a "Techie" so any advice to clear this problem will be welcome.
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am
Advertisement
Register to Remove

Unread postby Mat2 » September 8th, 2005, 11:24 am

Image & Welcome to MWR

I would be glad to help you with your computer problems. :)

HijackThis logs take awhile to research. Please be patient with me. I know that you want your problems solved quicky, and I will work hard to help you.

Please observe these rules while we work:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.

If you can do those two things, everything should go smoothly

Thanks
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby Mat2 » September 8th, 2005, 11:52 am

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

The first thing we need to do is download the following:

AboutBuster. unzip it to the desktop and then run the program and JUST update, you will need to the the program laters

Adaware SE. Once installed you need to update it.

CWShredder

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

  • Open My Computer
  • Select the View menu and click Folder Options
  • Select the View Tab.
  • In the Hidden files section select Show all files.
  • Click OK


Keep all browsers and windows closed thoughout this fix

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINDOWS\SYSTEM\SDKWQ32.EXE
C:\WINDOWS\NETCL32.EXE
C:\WINDOWS\ADDRZ32.EXE
C:\WINDOWS\SYSTEM\WINRW.EXE
C:\WINDOWS\NETFC.EXE
C:\WINDOWS\SYSTEM\NETPM32.EXE
C:\WINDOWS\SYSTEM\CRLY32.EXE
C:\WINDOWS\IEIX32.EXE
C:\WINDOWS\SYSTEM\D3CD32.EXE


Exit the Task Manager when finished.

Next locate CWShredder on your desktop, double click it, Then Press Fix

Next please run HijackThis, click Do A System Scan Only, and check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pjcof.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B4A6A6BE-1BCD-88D2-EF06-9D18DF8A0E2A} - C:\WINDOWS\SYSTEM\MFCBG.DLL
O4 - HKLM\..\Run: [JAVAMF32.EXE] C:\WINDOWS\JAVAMF32.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [SDKWQ32.EXE] C:\WINDOWS\SYSTEM\SDKWQ32.EXE /s
O4 - HKLM\..\RunServices: [NETCL32.EXE] C:\WINDOWS\NETCL32.EXE /s
O4 - HKLM\..\RunServices: [ADDRZ32.EXE] C:\WINDOWS\ADDRZ32.EXE /s
O4 - HKLM\..\RunServices: [WINRW.EXE] C:\WINDOWS\SYSTEM\WINRW.EXE /s
O4 - HKLM\..\RunServices: [NETFC.EXE] C:\WINDOWS\NETFC.EXE /s
O4 - HKLM\..\RunServices: [NETPM32.EXE] C:\WINDOWS\SYSTEM\NETPM32.EXE /s
O4 - HKLM\..\RunServices: [CRLY32.EXE] C:\WINDOWS\SYSTEM\CRLY32.EXE /s
O4 - HKLM\..\RunServices: [APICI32.EXE] C:\WINDOWS\APICI32.EXE /s
O4 - HKLM\..\RunServices: [IEIX32.EXE] C:\WINDOWS\IEIX32.EXE /s
O4 - HKLM\..\RunServices: [D3CD32.EXE] C:\WINDOWS\SYSTEM\D3CD32.EXE /s
O4 - HKLM\..\RunServices: [JAVATW.EXE] C:\WINDOWS\SYSTEM\JAVATW.EXE /s
O4 - HKLM\..\RunServices: [APICD.EXE] C:\WINDOWS\APICD.EXE /s
O4 - HKLM\..\RunServices: [ATLIJ32.EXE] C:\WINDOWS\SYSTEM\ATLIJ32.EXE /s
O4 - HKLM\..\RunServices: [CRHN32.EXE] C:\WINDOWS\SYSTEM\CRHN32.EXE /s
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/4be4fef7/enter.cab


Press Fix Checked, HJT will prompt you to confirm if you would like to remove those items, select Yes.

Next, you need to locate and run AboutBuster, double click on the program then press Begin Removal

Search for and delete these files Using Windows Explorer (if present):

C:\WINDOWS\pjcof.dll
c:\windows\SYSTEM\wucrtupd.exe
C:\WINDOWS\JAVAMF32.EXE
C:\WINDOWS\SYSTEM\MFCBG.DLL
C:\WINDOWS\SYSTEM\SDKWQ32.EXE
C:\WINDOWS\NETCL32.EXE
C:\WINDOWS\ADDRZ32.EXE
C:\WINDOWS\SYSTEM\WINRW.EXE
C:\WINDOWS\NETFC.EXE
C:\WINDOWS\SYSTEM\NETPM32.EXE
C:\WINDOWS\SYSTEM\CRLY32.EXE
C:\WINDOWS\APICI32.EXE
C:\WINDOWS\IEIX32.EXE
C:\WINDOWS\SYSTEM\D3CD32.EXE
C:\WINDOWS\SYSTEM\JAVATW.EXE
C:\WINDOWS\APICD.EXE
C:\WINDOWS\SYSTEM\ATLIJ32.EXE
C:\WINDOWS\SYSTEM\CRHN32.EXE


Next you need to empty the Recycle Bin

Also the Temp files as follows :

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files

Next you need to run Adaware SE

Run Ad-Aware SE Personal 1.06:

  • Click the "Start" button.
  • Uncheck the "Search for negligible risk entries" entry.
  • Choose the "Use custom scanning options" scan mode.
  • Click the "Next" button.
  • Ad-Aware will begin to scan for malware residing on your computer.
  • Allow the scan to finish.
  • Right-click on any entry in the list and click "Select All" to select the whole list.
  • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.


Finally restart windows back into normal mode and post back a new HJT log and also the log from AboutBuster. Thanks :)
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

TROJ_STARTPAG.RE virus

Unread postby Frank Molland » September 12th, 2005, 7:32 am

Mat2
Appreciate your quick response.

Downloaded AboutBuster and Updated it.

Downloaded Adaware SE update.

Downloaded CWShredder.

Restarted my computer in Safe Mode no "Advanced Options" menu appeared so selection for operating system not available, however with my computer in"Safe Mode" carried out your instructions to:-
Open My Computer
Select View menu/Folder Options
Select View Tab/Show all Files
Click O.K.

All browsers were closed

When I reached theControl-Alt-Del to enter the Task Manager there is no Processes tab and onlyMy Computer and Explorer in the dialogue box.

Do I carry on to the next step i.e. Activate CWShredder and pressFix?
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am

Unread postby Mat2 » September 12th, 2005, 9:47 am

Hi

Thanks for responding, you need to continue to the end of the instructions, i posted for you in a previous thread. when you have completed them post back here another HijackThis Log as you did before, I will then take another look at it and report back you.
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

TROJ_STARTPAG.RE Virus

Unread postby Frank Molland » September 13th, 2005, 3:22 pm

Mat2
I have carried out your instructions as far as I could. AboutBlank would not run on my system (Not NTFS)?. A lot of the files on the print out of your instructions were not on the HighJack This scan I took after the CWShredder operation but I deleted what I could see. Also in the block of .EXE and .dll CRLY32 was only present as a .dll file and IEIX32.EXE cannot be deleted. Deleted what I could then emptied the Recycle Bin.
Ran Adaware SE and completed the process.
The HighJack this log follows:-
Logfile of HijackThis v1.99.1
Scan saved at 16:06:54, on 13/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\IEED32.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\WINDOWS\SYSTEM\WINEV32.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP PSC 900 SERIES\BIN\HPOBRT07.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {210E4567-72A8-B219-4757-A195720910D9} - C:\WINDOWS\SYSTEM\CROO32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [WINEV32.EXE] C:\WINDOWS\SYSTEM\WINEV32.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [IEED32.EXE] C:\WINDOWS\SYSTEM\IEED32.EXE /s
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.blueyonder.co.uk
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/4be4fef7/enter.cab
AboutBuster log:-
AboutBuster 5.0 reference file 31
Scan started on [13/09/05] at [13:56:37]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was ABORTED at 13:56:54


AboutBuster 5.0 reference file 31
Scan started on [13/09/05] at [18:53:35]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was ABORTED at 18:53:49
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am

Unread postby Mat2 » September 13th, 2005, 4:58 pm

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something


You need to download Kill Box from Here. Unzip it to the desktop but do NOT run it yet.

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

You MUST keep all Windows, browsers, Programs CLOSED while performing the fix.


Right the next step is you need to run CWShredder again twice please.

After that you will need to run About:Buster again twice.

Note: The program does work on win98 Systems. The reference to NTFS is only Addressing ADS which isn't there unless it's a NTFS system.

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add/Remove Programs.

Have a look for the following (it may not be present):

SearchAssistant


Next please run HijackThis, click Do A System Scan Only, and check the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {210E4567-72A8-B219-4757-A195720910D9} - C:\WINDOWS\SYSTEM\CROO32.DLL
O4 - HKLM\..\Run: [WINEV32.EXE] C:\WINDOWS\SYSTEM\WINEV32.EXE
O4 - HKLM\..\RunServices: [IEED32.EXE] C:\WINDOWS\SYSTEM\IEED32.EXE /s
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/4be4fef7/enter.cab


Press Fix Checked, HJT will prompt you to confirm if you would like to remove those items, select Yes.

Search for and delete these files (if present):

C:\WINDOWS\SYSTEM\WINEV32.EXE
C:\WINDOWS\SYSTEM\IEED32.EXE
C:\WINDOWS\SYSTEM\CROO32.DLL

If you cannot find the files listed above, then you need to use the Killbox program you downloaded earlier.



    [1] [Disconnect from internet and shut down all running programs
    [2] Double-click on KillBox.exe. and keep killbox Open.
    (Important to keep killbox and notepad file open)
    [3] Use task manager to end process on all instances of explorer.exe
    Your desktop will disappear but that's normal. It will come back after Reboot part of this fix.
    [4] Click "Delete on Reboot" box.
    [5] Paste this file into the top "Full Path of File to Delete" box.

    • C:\WINDOWS\SYSTEM\CROO32.DLL

    [6] Click the "Delete File" button (Red Circle with White X)
    [7] Click "No" at the "Process and Reboot Now" prompt.
    [8] Click "OK" at the Pending Reboot prompt.
    [9] Repeat steps 6-8 above for these files:

    • C:\WINDOWS\SYSTEM\IEED32.EXE

    [11] Click "Delete on Reboot" box.
    [12] Paste this file into the top "Full Path of File to Delete" box.

    • C:\WINDOWS\SYSTEM\CROO32.DLL

    [13] Click the "Delete File" button which looks like a stop sign.
    [14] Click "Yes" at the "Process and Reboot Now" prompt.
    [15] Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.


Note that we may have to repeat this process a few times to completely kill off all of the files.

Restart Windows back into normal mode.

When windows has restarted you need to run Adaware again and also a Panda Active scan from Here

When done, you will need to run another HJT log and post back here. Thanks
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby Frank Molland » September 15th, 2005, 12:12 pm

Mat2
While I was carrying it your previous instructions I ran Adaware and noticed that there was a big jump in critical objects when it "hit" the Windows/Favorites folder. After I had completed your routine and posted the HijackThis log I went into Windows Explorer to check the Windows/Favorites folder and found two sub-folders - "media" and another (sorry cannot remember the second name) which, in turn contained links to numerous web sites. I deleted them (deleting one deleted both which I thought peculiar) and emptied the Recycle Bin. Is it o.k. to do this while we are in the process of elimination? I'd hate to screw things up.
HijackThis log appended:-

Logfile of HijackThis v1.99.1
Scan saved at 15:54:20, on 15/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.blueyonder.co.uk
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am

Unread postby Mat2 » September 15th, 2005, 12:39 pm

Hi

I have just looked at the log you have posted and you haven't screwed up, it has helped getting rid of any unnecessary files which were lying around on your PC.

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

Next please run HijackThis, click Do A System Scan Only, and check the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)

Press Fix Checked, HJT will prompt you to confirm if you would like to remove those items, select Yes.

Next

Restart your computer and when Windows has loaded do another HJT log and post it back here, Thanks
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby Frank Molland » September 15th, 2005, 4:24 pm

Mat2
Appended below is the HijackThis log file as requested:-

Logfile of HijackThis v1.99.1
Scan saved at 15:54:20, on 15/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = NOT USED (OK)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.blueyonder.co.uk
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am

Unread postby Frank Molland » September 15th, 2005, 4:37 pm

Mat2

Apologies --- wrong log file posted,

Correct file below:-

Logfile of HijackThis v1.99.1
Scan saved at 21:21:11, on 15/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP PSC 900 SERIES\BIN\HPOBRT07.EXE
C:\PROGRAM FILES\BLUEYONDER IST\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blueyonder.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.uk.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.blueyonder.co.uk
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqna/downloads/msxml4.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan ... asinst.cab
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am

Unread postby Mat2 » September 15th, 2005, 5:28 pm

Hi

You need to clear out all the temp files and also empty your recycle bin. To empty all the temp files as follows:

For Internet Explorer 6, you can follow these directions to clear out temporary files and delete cookies.

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive.

To clean up other temporary files on your computer in Windows 98 :

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files

Now we need to see if we need to restore some deleted files:
Please check for the following files using the Windows Search Engine:

control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll


If any are missing or not working properly then you can download new copies from Merijn's Files ,Select windows files from the menu on the lefthand side,and follow the instructions at that site to installthem where they belong for your OS.

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

TROJ_STARTPAG.RE Virus

Unread postby Frank Molland » September 16th, 2005, 5:10 am

Mat2

Appreciate your patience.
control.exe and SDHelper.dll are missing.

Accessed Merijn's Files and attempted to download control.exe first.

When I used Winzip Wizard, control_98.zip appeared in the Winzip title bar but nothing in the pane. After first attempt I wasn't sure it had downloaded. Winzip Wizard offered a search for the file and I carried out the search. I was amazed to see that in the Winzip archive were several CoolWebSearch files. Should I remove these from the archive before they do any damage?

Anyway I carried on and decided to "Save" control_98.zip rather than open but dont know where to save it to. Navigated to Windows/System but wasn't sure that was correct so decided to contact you.

A search using Start/Find/File and Folders shows no sign of control_98.zip.

What next?
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am

Unread postby Mat2 » September 16th, 2005, 7:11 am

Hi

If you are certain the files relate to CoolWebSearch, then you can remove them from the archive, If you wish you can search for them and then delete them.

or

you could run Spybot S&D

First is Spybot S & D available from here.

Is a tutorial at Net-Intergration Here

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems'

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9. REBOOT to complete the scan and clear memory.

(Courtesy ChrisRLG)

With regards to the problem you are having with the files from Merijn's website, here are some instructions on how to do it:

  • Follow the link in my previous thread or Here
  • Choose Windows Files from the menu on the lefthand side
  • Select the file you require
  • Choose Windows 98/SE , Click Download
  • Save the file to convienent place e.g, Desktop
  • Locate the file, Double click on the file, then unzip it
  • Then Double click on the file you have just unzipped to install
  • Repeat for any other file you require


Post back if you have any problems
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

TROJ_STARTPAG.RE Virus

Unread postby Frank Molland » September 16th, 2005, 11:28 am

Mat2

I have now managed to download and restore control.exe (to Windows/System) and SDHelper (to Spybot S&D folder).

I already had Spybot S&D installed so I didn't need to download it.

Downloaded "Hoster" and Restored Original Hosts.

When I use the "Disk Cleanup" facility although the items are checked the space that will be saved is at zero for each of them.
Frank Molland
Regular Member
 
Posts: 16
Joined: September 6th, 2005, 6:39 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 104 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware