I get this error when i download any files from the net.....

[Charley]

This program has performed a illegal operation and will be shut down. If the problem persists, contact the program vendor

caused an invalid page fault in
module <unknown> at 0000:bff8b0fa.
Registers:
EAX=00000000 CS=0167 EIP=bff8b0fa EFLGS=00010213
EBX=00000000 SS=016f ESP=82c03f3c EBP=82c03fc4
ECX=c150cb30 DS=016f ESI=8162637c FS=1c37
EDX=bffc9310 ES=016f EDI=0040e000 GS=0000
Bytes at CS:EIP:
89 18 e8 6f d9 00 00 85 c0 74 0d 80 4e 14 20 8b
Stack dump:
8162637c 816268fc 81626c5c 00530020 bff8b2a7 816268fc 00000008 81626c5c 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

After it says that the operation has been cancelled due to restrictions on your computer..

I've already disabled the Firewall settings but still it persists.

 

[enoonmai]

Thanks for the memory dump but what program crashes? IE? Firefox? Your download manager?

 

[Charley]

All softwares or files I download from the net gets the error mentioned above.


Why does it happen ? Last time I'd had the same error but when i disabled the firewall it worked fine.

 

[enoonmai]

Check your Event Viewer error logs and see what program is listed with a red X once your downloaded file crashes. Also, download HJT from here

*www.majorgeeks.com/download3155.html

run it and post the log file here, then maybe we can figure out what's causing the problem. Make sure your computer is free of all viruses/trojans.

 

[swatkat]

i have told to run HijackThis 3 times to u....if u cant download HijcakThis from ur computer , download it from a cybercafe or friend's comp or digit cd's , it's a 996kb file, and the copy it ur hdd, and run it.....

 

[Charley]

Check your Event Viewer error logs and see what program is listed with a red X once your downloaded file crashes. Also, download HJT from here

*www.majorgeeks.com/download3155.html

run it and post the log file here, then maybe we can figure out what's causing the problem. Make sure your computer is free of all viruses/trojans.

how do i view the event viewer or how can i find it, to see it?

 

[swatkat]

in WinXP, Go to Control Panel>Administrative Tools> Event Viewer...
here, u look for any event with red X mark or yellow ! mark, double click on each of them and copy the message to NotePad and post that here...

 

[Charley]

in WinXP, Go to Control Panel>Administrative Tools> Event Viewer...
here, u look for any event with red X mark or yellow ! mark, double click on each of them and copy the message to NotePad and post that here...

I have Win 98 secon edition here ..........

 

[Charley]

i have told to run HijackThis 3 times to u....if u cant download HijcakThis from ur computer , download it from a cybercafe or friend's comp or digit cd's , it's a 996kb file, and the copy it ur hdd, and run it.....

Here the scan I've done from an old Cd I'd .. Chck it out...

System log report, 2/20/05 3:03:15 PM
Detected: Microsoft Windows 98 SE
--------------------------------------------------

Running Processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE

--------------------------------------------------

Autorun entries from Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe (file missing)
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme (file missing)
sp = rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (file missing)


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme (file missing)
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe



--------------------------------------------------

File association entry for:

[.EXE]
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*


[.COM]
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*


[.BAT]
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*


[.PIF]
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*


[.SCR]
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S


[.HTA]
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*



--------------------------------------------------

Load/Run keys from WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from SYSTEM.INI:

shell=Explorer.exe
drivers=mmsystem.dll power.drv

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is NOT normal ()
- Company name OK: Microsoft Corporation
- Original filename OK: REGEDIT.EXE
- File description OK: Registry Editor
Registry check NOT passed

--------------------------------------------------

C:\WINDOWS\WinInit.ini listing

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\WINDOWS\WinInit.bak listing


[Rename]
C:\WINDOWS\SYSTEM\SHFOLDER.DLL=C:\WINDOWS\SYSTEM\TBME293.TMP

--------------------------------------------------

C:\Autoexec.bat listing

doskey

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\GKML.DLL - {A1C491A1-8340-11D9-9053-00805F119DA9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CodeBase = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CodeBase = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CodeBase = *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CodeBase = *v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38400.2651157407

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CodeBase = *download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{10003000-1000-0000-1000-000000000000}]
CodeBase = ms-its:mhtml:file://C:\foo.mht!*bin.wordsx.cc/JtUrTcec_L7JVmdToz82.chm::/on-line.exe

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CodeBase = *java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CodeBase = *java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab


--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------

[/list]

 

[swatkat]

i have told to run HijackThis 3 times to u....if u cant download HijcakThis from ur computer , download it from a cybercafe or friend's comp or digit cd's , it's a 996kb file, and the copy it ur hdd, and run it.....

Here the scan I've done from an old Cd I'd .. Chck it out...

System log report, 2/20/05 3:03:15 PM
Detected: Microsoft Windows 98 SE
--------------------------------------------------

Running Processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\HS\HIJACK.EXE

--------------------------------------------------

Autorun entries from Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe (file missing)
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme (file missing)
sp = rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (file missing)


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme (file missing)
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe



--------------------------------------------------

File association entry for:

[.EXE]
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*


[.COM]
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*


[.BAT]
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*


[.PIF]
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*


[.SCR]
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S


[.HTA]
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*



--------------------------------------------------

Load/Run keys from WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from SYSTEM.INI:

shell=Explorer.exe
drivers=mmsystem.dll power.drv

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is NOT normal ()
- Company name OK: Microsoft Corporation
- Original filename OK: REGEDIT.EXE
- File description OK: Registry Editor
Registry check NOT passed

--------------------------------------------------

C:\WINDOWS\WinInit.ini listing

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\WINDOWS\WinInit.bak listing


[Rename]
C:\WINDOWS\SYSTEM\SHFOLDER.DLL=C:\WINDOWS\SYSTEM\TBME293.TMP

--------------------------------------------------

C:\Autoexec.bat listing

doskey

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\GKML.DLL - {A1C491A1-8340-11D9-9053-00805F119DA9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CodeBase = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CodeBase = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CodeBase = *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CodeBase = *v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38400.2651157407

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CodeBase = *download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{10003000-1000-0000-1000-000000000000}]
CodeBase = ms-its:mhtml:file://C:\foo.mht!*bin.wordsx.cc/JtUrTcec_L7JVmdToz82.chm::/on-line.exep

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CodeBase = *java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

[Java Plug-in 1.5.0_01]
InProcServer32 = C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
CodeBase = *java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab


--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------

[/list]

in hijackthis, select thhe red entries and click Fix...
Restart in Safe Mode, and delete these files or folders if they r found:-
C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
C:\foo.mht!http
bin.wordsx.cc
JtUrTcec_L7JVmdToz82.chm
on-line.exe
C:\WINDOWS\TEMP\SE.DLL

then restart again, and go to C:\Windows\Temp, there u delete ALL files/folders inside it(dont delete TEMP folder itsefl).....

if possible downlaod Cleanup! to delete the junk in various places left by these spywares...
*cleanup.stevengould.org/

also, SE.DLL is CoolWebSearch variant, so u have to use this tool called CWShredder to remove any other CoolWebSearch files that may be lurking.....
*www.spywareinfo.com/~merijn/cwschronicles.html

post a fresh log after this, a newer version of HijackThis would help.....
also, i am doubtful about entries in blue, dont delete them..first check for ur problem, if it exists, then delete them....

i think some of ur system files r missing/corrupt, so go to Start>Run and type sfc and press Enter, here click Settings and Select/Check the option "Check for Deleted Files", and click OK. in the main screen, click "Start" to Scan....u might require Win98 Setup CD or Win98 Setup files in Hard Disk....

Also, No EventViewer exists in 98....

 

[enoonmai]

in hijackthis, select thhe red entries and click Fix...
Restart in Safe Mode, and delete these files or folders if they r found:-
C:\WINDOWS\DOWNLO~1\XSCAN53.OCX

You just told him to remove the Trend Micro Online Scan OCX control. It's a completely legit file.

About the one in blue, foo.mht, that's a browser hijack all right - FreshBar, and should be removed. No idea what GKML.DLL is, but GLB1A2B.EXE is not a pest, its a valid Unwise uninstaller file.

 

[Charley]

Dude... The other 1 was some software which is a trial version & expired tday, cant fix it though.........

Pls go thru this as from the actual hijack log and tell me wht is wrong & wht shud be done........


Logfile of HijackThis v1.99.1
Scan saved at 7:54:21 PM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\EC22.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PKWARE\PKZIPW\pkzipw.exe
C:\HIJACK\PKTMP001.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {A1C491A1-8340-11D9-9053-00805F119DA9} - C:\WINDOWS\SYSTEM\GKML.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!*bin.wordsx.cc/JtUrTcec_L7JVmdToz82.chm::/on-line.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = dataone
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 61.1.96.69,61.1.96.71
O18 - Filter: text/html - {A1C491A0-8340-11D9-9053-0080305D3832} - C:\WINDOWS\SYSTEM\GKML.DLL
O18 - Filter: text/plain - {A1C491A0-8340-11D9-9053-0080305D3832} - C:\WINDOWS\SYSTEM\GKML.DLL

 

[enoonmai]

LOL! The best thing to do would be to run Spybot S&D, apply the latest updates, and choose to fix all problems. If you can't download even that without an error, run HJT and select these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!*bin.wordsx.cc/JtUrTcec_L7JVmdToz82.chm::/on-line.exe

and then choose to Fix the selected problems.
Once that's done, do a search for SE.DLL, foo.mht*, on-line.*, JtU*.* and delete any and all files that it finds.
If possible, go to a cybercafe or a friend's place and download SPybot S&D and CWShredder.

 

[Charley]

i cannot delete the temp folder... I've done both shredder & spybot ... Wht sud i do as to be protected in future.....This is the hijack file now

Logfile of HijackThis v1.99.1
Scan saved at 9:57:57 PM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PKWARE\PKZIPW\pkzipw.exe
C:\HIJACK\PKTMP000.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!*bin.wordsx.cc/JtUrTcec_L7JVmdToz82.chm::/on-line.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = dataone
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 61.1.96.69,61.1.96.71

 

[enoonmai]

The problems still exist. What you need to do is to boot the computer in Safe Mode (hit F8 just after the BIOS finishes the POST and you hear the single beep) and then navigate to the Temp folder and clear out its contents. Then run Spybot again to check you've got no infection.
To make sure you don't get infected again in the future, Spybot comes with a program called TeaTimer.exe that offers protection against programs changing your settings and installing programs without your permission. Download the latest updates for Spybot (make sure you continue to check for updates every 15 days) and once its updated, go to the Immunize option in Spybot and make sure its enabled. You should see a "All known bad products are blocked" message when you click the Immunize button. Make sure TeaTimer runs at all times (you can add it to the Startup folder if it isn't already enabled by default) Whenever a change occurs, Spybot TeaTimer will prompt you to either accept or deny the change. If its something you don't know or don't trust, deny the change.

 

[swatkat]

i cannot delete the temp folder... I've done both shredder & spybot ... Wht sud i do as to be protected in future.....This is the hijack file now

Logfile of HijackThis v1.99.1
Scan saved at 9:57:57 PM, on 2/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PKWARE\PKZIPW\pkzipw.exe
C:\HIJACK\PKTMP000.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!*bin.wordsx.cc/JtUrTcec_L7JVmdToz82.chm::/on-line.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = dataone
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 61.1.96.69,61.1.96.71

u have HomeOldSP bug, which is an advanced CoolWebSearch variant and also SE.DLL which is IEPlugin Spyware...u have to remove both manually....

To fix IEPlugin (SE.DLL), Symantec has one tool, download from a friends comp or cybercafe and run it in ur comp.....
if u cant get this, u have to remove it manually as below....
*securityresponse.symantec.com/avcenter/FxIeplgn.exe
After the above fix, check for SE.DLL entry in HijackThis, if it exists, then u have to remove it manually....

Removal of SE.DLL:-
1]Check the SE.DLL entry in HijackThis and click Fix.
2]Restart. Then go to Start>Run and type msconfig and Enter.
3]Here, uncheck/remove these entries if found:-
extract.exe
se.exe
systb.exe
wdskctl.exe
wupdt.exe
winserv.exe
4]Now, open MSDOS Prompt, here u have to go to the folder where SE.DLL is present, in ur case, it is C:\Windows\Temp\SE.DLL
So, in DOS prompt, at C:\> u type cd Windows and press Enter, againg u type cd Temp and press Enter.
5]Here, u have to Unregister the DLL file, so at DOS Prompt type regsvr32 -u se.dll and press Enter.
6]Similarly, find if SE.DLL exists in any other places using Windows Find utility and then navigate to that folder / or use pathname to unregister.
7]Then delete the file.

HomeOldSP removal:-
This is Semi-manual process....
1]Check/Selcet the OldHomeSP entries in HijackThis log (marked in red above) and click Fix.
2]Also, download and run AboutBuster, found here...
*www.spychecker.com/program/aboutbuster.html
3]After this run Cleanup! (a must have tool), and click "Options", and use Statd Clenup option and click OK and the click Cleanup.
*cleanup.stevengould.org/

After this run HijackThis and save log, and check for line containg "OldHomeSP", if it's there, we have to remove it manually....
This OldHomeSP has one DLL file, due to which it keeps itself registering.u have to delete that DLL file

After all this, post the log of HijackThis and also ur Add/Rmove programs list....
OldHomeSP is the most advanced and most dreaded spyware, and SE.DLL is not far behind it....the bad thing not many tools/antiviruses r able to fix it.....

 

[Charley]

I've downlaoded the latest spybot softie and installed..



When i 'm trying to get into the hijack file to post the scaned file it says


A req .dll file MCVBVM60.dll was not found, error exectuting... Why?

 

[sreevirus]

download the msvbvm60.dll file from here: *dll-files.com/dllindex/download.php?msvbvm60download0UMlXBVFdO and copy it to \WINDOWS\system32 and then try....

 

[Charley]

dude, it says the link u have reached has expired......

 

[swatkat]

*support.microsoft.com/kb/q192461/