Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qoologic T [trj]/ibm00001.exe Troubles


  • Please log in to reply
10 replies to this topic

#1 upnorthfireman

upnorthfireman

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mancelona, MI
  • Local time:01:52 AM

Posted 06 February 2006 - 10:33 PM

D trojanator suggested that I post a HIJACKTHIS log do to my current issues, just getting around to it. My AVAST anti virus keeps picking up this QOOLOGIC T virus in my C:(having some trouble with my underline button)RESTORE\TEMP files. I also am getting an ibm00001.exe error on start up. I originaly had a run in with a spy sheriff infection and thought I was able to get it all off. Adaware and spybot keep coming up with nothing and the online scans keep coming up clean. I am using an older model COMPAQ Presario with windows ME. My AVAST a/v keeps coming up with an error that the virus cannot be removed or moved. This is my HIJACKTHIS log

Logfile of HijackThis v1.99.1
Scan saved at 9:55:39 PM, on 06-Feb-2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS XTREME G\AIRPLUS.EXE
C:\WINDOWS\DESKTOP\WIRELESS LAN UTILITY\WLANUTILITY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...archbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirec...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\SYSTEM\hpsw.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\TIGHTVNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\HIJACKTHIS\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ICCMDL] C:\WINDOWS\SYSTEM\ICCMDL.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: ACS.pif = C:\WINDOWS\SYSTEM\ACS.BAT
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Startup: Wireless Lan Utility.lnk = C:\WINDOWS\Desktop\Wireless LAN Utility\WlanUtility.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab

Any help would be greatly appreciated. If there are any other questions or any other info need please ask!
Thank you in advance.
Jason

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:52 AM

Posted 11 February 2006 - 01:19 PM

Hi There! :thumbsup:

I am currently working on your log and am checking it with a teacher.

I will get back to you as soon as possible.

David :flowers:

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:52 AM

Posted 11 February 2006 - 01:22 PM

Hello upnorthfireman and welcome to the BC HijackThis forum. Let's start by running a different scanner and also having a couple of these files checked out online.

Step #1

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

Step #2

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\KERNEL32.DLL
C:\WINDOWS\SYSTEM\hpsw.exe
C:\WINDOWS\SYSTEM\ICCMDL.exe

Several scanning engines will be used to check the files for any threats.

Ok, reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and the results from the Jotti scans and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 upnorthfireman

upnorthfireman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mancelona, MI
  • Local time:01:52 AM

Posted 13 February 2006 - 11:59 PM

Hello D-Trojanator and OldTimer,

Thank you again for your helping minds and hands in this mess. I will be shure to check out your donate link when this is all through. All of your help is greatly appreciated. Here goes nothing.
I downloaded the WinPFind.zip file, extracted it and ran it in safe mode. It got the the reg scan and an error popped up that reads "Invalid data type for QRIA". I clicked o.k. and it sat there with a cursor and did nothing. I copied the text to a notepad file, restarted and the same thing happened. Here is the text.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Windows OS and Versions
Product Name: Windows Millennium Edition Version: 4.90.3000
Internet Explorer Version: 6.0.2800.1106

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
qoologic 13-Feb-2006 10:55:12 PM RH 1462304 C:\WINDOWS\USER.DAT
web-nex 13-Feb-2006 10:55:12 PM RH 1462304 C:\WINDOWS\USER.DAT
ad-w-a-r-e.com 13-Feb-2006 10:55:12 PM RH 1462304 C:\WINDOWS\USER.DAT
UPX! 12-Oct-2005 8:23:28 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 11-Oct-2005 1:51:50 PM 16020607 C:\WINDOWS\lpt$vpn.887
qoologic 11-Oct-2005 1:51:50 PM 16020607 C:\WINDOWS\lpt$vpn.887
SAHAgent 11-Oct-2005 1:51:50 PM 16020607 C:\WINDOWS\lpt$vpn.887
UPX! 12-Oct-2005 8:23:26 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 12-Oct-2005 8:23:26 PM 1044560 C:\WINDOWS\vsapi32.dll
PECompact2 11-Oct-2005 1:51:50 PM 16020607 C:\WINDOWS\VPTNFILE.887
qoologic 11-Oct-2005 1:51:50 PM 16020607 C:\WINDOWS\VPTNFILE.887
SAHAgent 11-Oct-2005 1:51:50 PM 16020607 C:\WINDOWS\VPTNFILE.887

Items found in C:\WINDOWS\hosts

UPX! 27-Jan-2006 6:24:46 PM 10112 C:\WINDOWS\toolbar.exe

Checking %System% folder...
UPX! 27-Jan-2006 5:38:10 PM 503296 C:\WINDOWS\SYSTEM\aswBoot.exe
PTech 12-Jan-2006 11:32:12 AM 543496 C:\WINDOWS\SYSTEM\LegitCheckControl.DLL
PEC2 17-Nov-1996 11:00:00 PM 748160 C:\WINDOWS\SYSTEM\CO2C40EN.DLL
UPX! 06-Feb-2004 8:29:20 AM 23040 C:\WINDOWS\SYSTEM\Shadow.ocx
UPX! 05-May-2001 12:49:50 AM 18944 C:\WINDOWS\SYSTEM\Registry Control.ocx
FSG! 27-Jan-2006 6:24:32 PM 4265 C:\WINDOWS\SYSTEM\paytime.exe
UPX! 27-Jan-2006 6:26:42 PM 44544 C:\WINDOWS\SYSTEM\0wao7k9k.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
13-Feb-2006 10:51:32 PM RH 8146976 C:\WINDOWS\CLASSES.DAT
30-Jan-2006 7:23:18 PM HS 62709760 C:\WINDOWS\VMMHIBER.W9X
13-Feb-2006 10:59:38 PM RH 3895328 C:\WINDOWS\SYSTEM.DAT
13-Feb-2006 10:55:12 PM RH 1462304 C:\WINDOWS\USER.DAT
19-Dec-2005 6:41:44 PM RH 1032224 C:\WINDOWS\USER.BAK
13-Feb-2006 10:51:38 PM H 378204 C:\WINDOWS\ShellIconCache
13-Feb-2006 10:02:58 PM H 28226 C:\WINDOWS\ttfCache
05-Jan-2006 12:03:52 PM HS 76 C:\WINDOWS\All Users\Documents\desktop.ini
26-Jan-2006 10:52:46 PM RHS 58 C:\WINDOWS\Application Data\win.ini
26-Jan-2006 10:52:46 PM RHS 32 C:\WINDOWS\Application Data\resmodes.dat
06-Feb-2006 10:46:24 PM HS 2704 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
12-Feb-2006 5:58:50 PM H 158 C:\WINDOWS\Application Data\Microsoft\Office\Recent\index.dat
25-Jan-2006 10:23:20 AM H 10678 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off92A0.tmp
22-Dec-2005 6:34:54 PM H 8246 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off92A0s.tmp
22-Dec-2005 6:34:54 PM H 8246 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off92A0h.tmp
19-Jan-2006 10:22:10 AM H 8246 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off93A5s.tmp
19-Jan-2006 10:22:10 AM H 8246 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off93A5h.tmp
19-Jan-2006 7:45:54 PM H 11158 C:\WINDOWS\Application Data\Microsoft\Office\Shortcut Bar\Off93A5.tmp
26-Jan-2006 9:13:24 PM H 8628 C:\WINDOWS\Desktop\RTE\RTW.GID
04-Jan-2006 12:56:12 PM H 37199 C:\WINDOWS\Desktop\RTE\Unstall.cfg
18-Dec-2005 7:47:14 PM HS 10752 C:\WINDOWS\DRM\drmv2.lic
18-Dec-2005 7:51:20 PM HS 6144 C:\WINDOWS\DRM\drmv2.sst
18-Dec-2005 7:46:20 PM HS 48 C:\WINDOWS\DRM\v2ks.sec
18-Dec-2005 7:46:20 PM HS 312 C:\WINDOWS\DRM\v2ks.bla
18-Dec-2005 7:47:16 PM HS 2560 C:\WINDOWS\DRM\drmv2.licIndex
18-Dec-2005 7:49:30 PM HS 400 C:\WINDOWS\DRM\v2ksndv.bla
18-Dec-2005 7:49:30 PM HS 234688 C:\WINDOWS\DRM\IndivBox.key
13-Feb-2006 10:53:34 PM H 23382 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
20-Jan-2006 7:55:02 AM H 22688 C:\WINDOWS\SYSTEM\FFASTLOG.TXT
13-Feb-2006 10:43:26 PM H 6 C:\WINDOWS\TASKS\SA.DAT
28-Jan-2006 10:49:06 PM HS 0 C:\WINDOWS\TEMP\$b17a2e8.tmp
29-Jan-2006 8:34:58 PM HS 8 C:\WINDOWS\TEMP\$_2341235.TMP
20-Jan-2006 3:42:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
20-Jan-2006 3:42:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\K7C9EDSH\desktop.ini
20-Jan-2006 3:42:42 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\45AP8DAF\desktop.ini
20-Jan-2006 3:42:42 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\BIGF249X\desktop.ini
20-Jan-2006 3:42:42 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\TDHG0LT8\desktop.ini
13-Feb-2006 7:50:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\JY87J1WD\desktop.ini
13-Feb-2006 7:50:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8X6VK16V\desktop.ini
13-Feb-2006 7:50:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4XMB4L2N\desktop.ini
13-Feb-2006 7:50:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ONPZE6VD\desktop.ini
20-Jan-2006 1:32:30 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini

Checking for CPL files...
Microsoft Corporation 08-Jun-2000 5:00:00 PM 79872 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 16-Sep-2002 9:37:16 AM 28672 C:\WINDOWS\SYSTEM\WUAUCPL.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Apple Computer, Inc. 26-Aug-1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM\QTW32.CPL
Microsoft Corporation 29-Aug-2002 7:07:38 AM 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 62464 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 111616 C:\WINDOWS\SYSTEM\MAIN.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 408576 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 104368 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 28-Apr-2004 10:01:26 AM 32768 C:\WINDOWS\SYSTEM\odbccp32.cpl
Microsoft Corporation 08-Jun-2000 5:00:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 61200 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 389872 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 15360 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 36864 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Microsoft Corporation 08-Jun-2000 5:00:00 PM 66560 C:\WINDOWS\SYSTEM\ACCESS.CPL
11-May-2000 11:03:16 AM 106496 C:\WINDOWS\SYSTEM\cch.cpl
Compaq Computer Corporation 25-Oct-1999 8:27:44 PM 110592 C:\WINDOWS\SYSTEM\UICONFIG.cpl
Apple Computer, Inc. 20-Jun-2001 4:34:36 PM 287232 C:\WINDOWS\SYSTEM\QuickTime.cpl
Microsoft Corporation 30-Oct-2001 8:10:00 AM 442368 C:\WINDOWS\SYSTEM\JOY.CPL
11-Jul-1997 22528 C:\WINDOWS\SYSTEM\FINDFAST.CPL
Microsoft Corporation 14-Jul-1999 5:35:48 PM 28432 C:\WINDOWS\SYSTEM\DTCCFG.CPL
Microsoft Corporation 12-Aug-2004 2:48:28 PM 109056 C:\WINDOWS\SYSTEM\INPUT98.CPL
Sun Microsystems, Inc. 24-Jan-2006 3:47:52 PM 49262 C:\WINDOWS\SYSTEM\jpicpl32.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
13-Feb-2006 10:50:52 PM 995 C:\WINDOWS\Start Menu\Programs\StartUp\ACS.pif
29-Jan-2006 3:44:28 PM 410 C:\WINDOWS\Start Menu\Programs\StartUp\D-Link AirPlus Xtreme G Configuration Utility.lnk
29-Jan-2006 3:44:32 PM 547 C:\WINDOWS\Start Menu\Programs\StartUp\Wireless Lan Utility.lnk

Checking files in %USERPROFILE%\Application Data folder...
09-Dec-2005 4:44:34 PM 4608 C:\WINDOWS\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
27-Jan-2006 12:23:08 AM 113 C:\WINDOWS\Application Data\desktop.ini
29-Jan-2006 11:03:06 PM 4411 C:\WINDOWS\Application Data\dw.log
20-Jan-2006 1:33:02 PM 75 C:\WINDOWS\Application Data\fusioncache.dat
25-Jan-2006 1:49:36 PM 65992 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
27-Jan-2006 6:24:48 PM 2140819 C:\WINDOWS\Application Data\Install.dat
26-Jan-2006 10:52:46 PM RHS 32 C:\WINDOWS\Application Data\resmodes.dat
26-Jan-2006 10:52:46 PM RHS 58 C:\WINDOWS\Application Data\win.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{FEF10FA2-355E-4e06-9381-9B24D7F7CC88} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{53C74826-AB99-4d33-ACA4-3117F51D3788} = C:\WINDOWS\SYSTEM\SHELL32.DLL
{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{BD472F60-27FA-11cf-B8B4-444553540000} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL
{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} = C:\WINDOWS\SYSTEM\ZIPFLDR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\SharingMenu
{6D78EC20-5AA6-101B-8681-366FBD64CEB9} = msshrui.dll

<<< WARNING! - NOT A VALID WIN98 KEY! (ME is Ok) >>>
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7ab770c7-0e23-4d7a-8aa2-19bfad479829}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINDOWS\SYSTEM\DOCPROP2.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX
{BA52B914-B692-46c4-B683-905236F6F655} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D05-8F11-11d2-804F-00105A133818}
ButtonText = Translate :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D02-8F11-11d2-804F-00105A133818}
MenuText = &Find Pages Linking to this URL :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D03-8F11-11d2-804F-00105A133818}
MenuText = Find Other Pages on this &Host :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{06FE5D04-8F11-11d2-804F-00105A133818}
MenuText = AV Live :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Hidserv Hidserv.exe run
avast! Web Scanner C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
ashMaiSv C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SSDPSRV C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr C:\WINDOWS\System\Restore\StateMgr.exe
KB891711 C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
StillImageMonitor C:\WINDOWS\SYSTEM\STIMON.EXE
MDM7 "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
avast! C:\Program Files\Alwil Software\Avast4\ashServ.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

I hope this is helpful. If not, I'm open to suggestions. I also ran the files you suggested under the link you suggested. C:\KERNEL32.DLL came up clean in the scan. I had previously deleted C:\WINDOWS\SYSTEM\HPSW and C:\WINDOWS\SYSTEM\ICCMDL.EXE with kill_box. I scanned them from the kill_box back up and this is what was found.

File: iccmdl.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f845707cac77466890aad1b7c72026e3
Packers detected: UPX
Scanner results
AntiVir Found Trojan/Spy.VB.EH.24
ArcaVir Found Trojan.Spy.Vb.Eh
Avast Found nothing
AVG Antivirus Found PSW.Generic.QBQ
BitDefender Found Trojan.Spy.VB.EH
ClamAV Found nothing
Dr.Web Found BackDoor.Generic.1245
F-Prot Antivirus Found W32/Trojan.AVB
Fortinet Found Prutec!tr
Kaspersky Anti-Virus Found Trojan-Spy.Win32.VB.eh
NOD32 Found Win32/Spy.VB.EH
Norman Virus Control Found W32/Prutec.A
UNA Found Trojan.Spy.Win32.VB
VBA32 Found Trojan-Spy.Win32.VB.eh

File: hpsw.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 e0e7fac6a4011ad0a18586d6289e71aa
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/Suggestor.O.7 adware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic.KFW
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.QuickLinks
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Suggestor.o
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found Adware.Suggestor
VBA32 Found AdWare.Win32.Suggestor.o

Also I did a quick search and found a file C:\WINDOWS\APPLOG\ICCMDL.LGC. I did not scan this file but I can if you'd like. Also here is the HIJACK this log.

Logfile of HijackThis v1.99.1
Scan saved at 11:21:20 PM, on 13-Feb-2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS XTREME G\AIRPLUS.EXE
C:\WINDOWS\DESKTOP\WIRELESS LAN UTILITY\WLANUTILITY.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...archbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirec...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\SYSTEM\hpsw.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\TIGHTVNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ICCMDL] C:\WINDOWS\SYSTEM\ICCMDL.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - Startup: ACS.pif = C:\WINDOWS\SYSTEM\ACS.BAT
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Startup: Wireless Lan Utility.lnk = C:\WINDOWS\Desktop\Wireless LAN Utility\WlanUtility.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab

I keep thinking that the best thing for this computer is a swift launch from a catapault in my back yard, but I think my boss would frown apon that. I also wanted to know that if I was to make a donation that it is ligit and there wont be any funny business, or better yet is there a street address
Thank you guys!
Jason

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:52 AM

Posted 14 February 2006 - 05:12 PM

Hi upnorthfireman. Ok, let's fix this up. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Go to the Jotti's malware scan page and use the buttons at the top of the page to browse to this file(s) on your hard drive to submit for a scan:C:\WINDOWS\toolbar.exe
If the file comes up as bad then add it to the files to delete in Step #4. If it is clean then leave it be (my guess is that it is bad).

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\SYSTEM\hpsw.exe"
O4 - HKCU\..\Run: [ICCMDL] C:\WINDOWS\SYSTEM\ICCMDL.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SYSTEM\hpsw.exe
C:\WINDOWS\SYSTEM\ICCMDL.exe
C:\WINDOWS\SYSTEM\paytime.exe
C:\WINDOWS\SYSTEM\0wao7k9k.dll
C:\WINDOWS\toolbar.exe (if it was found to be infected in the Jotti scan)

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.Right-click My Computer and then click Properties.
On the Performance tab, click File System
On the Troubleshooting tab, click to select Disable System Restore
Click OK twice.
2. Restart your computer.

3. Turn on System Restore.Right-click My Computer and again click Properties
On the Performance tab, click File System
Clear the check mark in Disable System Restore check box.
[/list]
System Restore will now be active again.

Step #9

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in. Also, run a scan now with Avast and see if it picks up anything.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 upnorthfireman

upnorthfireman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mancelona, MI
  • Local time:01:52 AM

Posted 19 February 2006 - 10:50 PM

Hello again OLDTIMER,
After following your instructions I was able to get Avast to stop finding the virus in the system restore files :thumbsup: . What was extremely alarming was how inadequate Avast truly is :flowers: ! After running the online scans a few times I believe the viruses are finally gone. Adaware now comes up clean also. The only thing is I am still getting the IBM00001.exe error on startup still. I tried to search the registry for the entry but there was none found here is my new hijack this log. Also how is the snow near Holland :huh: ? I'm just northest of Traverse City and we are absolutly covered in it.

Logfile of HijackThis v1.99.1
Scan saved at 10:35:06 PM, on 19-Feb-2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TIGHTVNC\WINVNC.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPZTSB09.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NETFXUPDATE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS XTREME G\AIRPLUS.EXE
C:\WINDOWS\DESKTOP\WIRELESS LAN UTILITY\WLANUTILITY.EXE
C:\WINDOWS\SYSTEM\ACS.EXE
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NGEN.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...archbar&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirec...archbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinVNC] "C:\PROGRAM FILES\TIGHTVNC\WINVNC.EXE" -service
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NETFXUPDATE.EXE" 0 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: ACS.pif = C:\WINDOWS\SYSTEM\ACS.BAT
O4 - Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
O4 - Startup: Wireless Lan Utility.lnk = C:\WINDOWS\Desktop\Wireless LAN Utility\WlanUtility.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37570.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:52 AM

Posted 20 February 2006 - 08:57 PM

Hi upnorthfireman. That looks better. It does look like I missed one so let's take care of that.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

As far as Avast foes, it really is a great anti-virus. It's the only one I will use. The problem is with Windows. The Operating System will not allow any programs to touch any files in the restore points, even if they are malware and must be removed. The only way to clean those files out is by resetting the restore points.

What is the exact error message that you are receiving on startup regarding the ibm00001.exe file? Post the test of the message back here so I can see what it says and we'll try and find out what's up with that.

Also, I'm still not convinced that the c:\kernel32.dll file is valid. Let's try this. Rename the file to kernel32.bak and reboot the machine to see what happens at startup. Even though that is a valid filename it should not be in the root folder. Let's find out what happens.

Post back with your findings.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 upnorthfireman

upnorthfireman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mancelona, MI
  • Local time:01:52 AM

Posted 22 February 2006 - 11:11 PM

Hello OT,
I got rid of the [MOSEARCH] and attempted to rename the C:\kernel32.dll and it would not allow me to. I was going to attempt to start in DOS with a disk and try it that way but I thought I would ask first??? Maybe there is an easier way around this?

This is the Text from the error box:

Windows cannot find 'ibm00001.exe'. You may have typed the name incorrectly in the Run dialog, our another open program cannot find a system file. To search for a file, click the Start button, and then click Search

The icon in the left side of the box is a red circle with a white X in it.

The ibm00001.exe file was deleted by myself when all of the virus scans started coming up as infected. The problem is the recycle bin has been cleaned out more than once so I believe the file is long gone.

Thank you
Jason

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:52 AM

Posted 23 February 2006 - 06:39 PM

Hi upnorthfireman. Ok, I think that maybe the ibm00001.exe might be set to startup in the autoexec.bat file or config.sys file. Let's check those out.

Open Notepad (Start->Programs->Accessories->Notepad) and then click on File->Open. Navigate to c:\. Change the Files of type to All files and choose Aitoexec.bat. Copy/Paste the contents back here. Then repeat for the file Config.sys. I will review the information when it comes in.

For the kernel32.dll file, let's have you submit that to us here and I will check it out. Please do the foillowing:

Please go to the Bleeping Computer Malware Submittal page and submit this file. Use the following for the Link to topic where this file was requested:c:\kernel32.dll
I will get notified when the file is submitted and I will download it and see if I can figure out what it is.

Cheers.

OT

Edited by OldTimer, 23 February 2006 - 06:42 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 upnorthfireman

upnorthfireman
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mancelona, MI
  • Local time:01:52 AM

Posted 24 March 2006 - 09:51 PM

Hello OT

:thumbsup: Sorry about the delay since the last post. I've been staying out of town and haven't had a chance to reply.

This is the autoexec.bat file text

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

The config.sys is empty. :flowers:

Thank you,
Jason

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:52 AM

Posted 25 March 2006 - 08:55 AM

Hey upnorthfireman. Ok, there's only 1 other place that I canthink of that it might be. Let's check the config files.

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Now, open Windows Explorer and go to c:\windows. Locate win.ini, right-click on it and choose Open. Notepad will open with the file loaded in it. Now go back to Explorer and do the same for system.ini. Copy/paste the contents of each of those files back here and I will have a look-see.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users