RUNDLL error, please help!!! its been for months!

RogueSLG71 · 08-Jul-2004, 03:52 PM #1

okay well for months now i have had this RUNDLL error pop up everytime i turn on my computer. it says the application cannot find : C:\WINDOWS\System32:bahyaaf.dll and it says that is a RUNDLL error. i dont know if there is even such a thing as that bahyaaf.dll cause i tried to search for it on line and download it but i couldnt find anything even close to it.

it pops up everytime i turn on the computer and it has been for months and its annoying i really want to get rid of it.

also i dont know if this is because of that error, but everytime i open a folder, whenever i close the folder, the computer freezes (doesnt freeze completely its like 'half frozen', like i cant open any new programs, and it does that thing where when i try to move my windows around it kind of cascades in the background...like you can see it move and the picture gets stuck there. also none of the icons or anything works anymore on the desktop because of that either).

i downloaded that weird pc doctor or whatever but it ended up having an error within itsself so that didnt go far.

i have a windows XP, and i dont know if this might doanything, but i've stopped using internet explorer completely because it was causing so many problems and i've always hated it. so now i use opera an di have not had one internet problem but i just wanna know if that might do anything weird to my computer

anyways if anyone has a clue please please PLEASE HELP!!!!!!!!

**etaf** · 08-Jul-2004, 04:03 PM #2

Hi, welcome to tsg

HIJACK THIS:
Try not to reboot
Currently the Spyware identified by the security experts and especially the morphing and breeding .exe`s in the new variants of CWS, after every re-boot required by Ad-Aware and Spybot etc, just spawns more and more files for the poster to find and delete. This is making the advice the security experts give just too hard to follow.
One of the security experts recently had one log with over a hundred files, they guy had to format c: drive.

Download and copy hijackthis to its own folder , it makes backups so keeping them separate and available can be useful.

Note the Spyware tools websites are very often under attack and so I have provided more than 1 location to download from:

http://www.tomcoyote.org/hjt/
http://209.133.47.200/~merijn/downloads.html
http://www.thespykiller.co.uk/
http://www.sherrylynn.us/privacypolicy (this has an older version 1.97 - if you can get to other sites)

Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”.
Click on “Save Log” and then save it to NotePad.
Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.
DO NOT FIX ANYTHING wait advice from one of the many security experts in this forum.

I currently do not have the skill/competence to advise and poor advice can be far more damaging to your PC with this software, and so I will be unable to add any advice on the log and so will nolonger be replying to your post with regards to the HJT issue, so please have patience and wait for one of the secruity experts to provide further detailed advice

i will however, be notified when you post the log

cybertech · 08-Jul-2004, 04:03 PM #3

Welcome to TSG!!

Make a folder on your hard drive, like My Documents\HJT
Download Hijackthis.
Unzip the file to the folder on your hard drive.

Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

Copy and paste it back here and someone will be happy to review it.

Don't make any changes until instructed to do so.

RogueSLG71 · 08-Jul-2004, 11:10 PM #4

here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 9:09:32 PM, on 7/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common files\Updater\wupdater.exe
C:\WINDOWS\system32\llass.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\mwsvm.exe
C:\WINDOWS\System32\Keyhost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\pldkyyot.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\CallWave\IAM.exe
C:\Documents and Settings\JOHN WANG\Application Data\DownloadPlus.exe
C:\WINDOWS\System32\TtsKCJSq.exe
C:\WINDOWS\System32\IqzqA.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\JOHN WANG\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchxl.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gonnasearch.com/?ref=sp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gonnasearch.com/iesearch.php?ref=sb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.gonnasearch.com/iesearch.php?ref=sb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/...=sesm&sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-AB2D-8D32436313D9} - C:\WINDOWS\bsx5.dll
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: CDnsRepObj Object - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msglji.gif
O2 - BHO: FeaturedResultsBHO Class - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: SNHlprObj Class - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: DHTML View - {150FA160-130D-451F-B863-B655061432BA} - C:\WINDOWS\System32\mgs_32.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
O2 - BHO: WhistleHlprObj Class - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll (file missing)
O2 - BHO: Search Toolbar BHO Object - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O2 - BHO: (no name) - {4EBB6A47-C1B5-4649-97A7-EB0F85EB010F} - (no file)
O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - (no file)
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: SearchAddon - {799A370D-5993-4887-9DF7-0A4756A77D00} - C:\PROGRA~1\INTERN~1\Toolbar\SEARCH~1.DLL
O2 - BHO: IAdvertisementBHO Class - {80672997-D58C-4190-9843-C6C61AF8FE97} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: DnsRepObj Class - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\WINDOWS\System32\mseffm.dll
O2 - BHO: YokoMoto.Gum - {971387E1-EAA4-45F3-BA6E-A2C1857C68C2} - C:\WINDOWS\System32\Yoko.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\PROGRA~1\INTERN~1\Toolbar\AUTOSE~1.DLL
O2 - BHO: CExtension Object - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\bs3.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msfaol.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O2 - BHO: WebInfoObj Class - {E7AFFF2A-1B57-49C7-BF6B-E5123394C970} - C:\PROGRA~1\INTERN~1\Toolbar\webinfo.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O3 - Toolbar: IE Addon - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Internet Explorer\Toolbar\toolbar.dll
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\PROGRA~1\TOOLBA~1\2020SE~1.DLL
O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PGStub.exe] C:\Program Files\Bargain Buddy\dp-b23011805.exe
O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [5RCFPCB288CDZM] C:\WINDOWS\System32\Ovc7j0i.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\Keyhost.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\i5imdy79.exe
O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -S c:\ie.reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [aviyjyvm] C:\WINDOWS\pldkyyot.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [bahyaaf] rundll32 C:\WINDOWS\System32:bahyaaf.dll,Init 1
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\JOHN WANG\Local Settings\Temp\ms53.tmp"
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\JOHN WANG\Application Data\DownloadPlus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: &IE Toolbar search - res://C:\Program Files\Internet Explorer\Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/scri...ns/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\TD.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\TD.exe
O9 - Extra button: IE Addon - {1AE2F26C-8E23-4930-A68D-9E681A764001} - C:\Program Files\Internet Explorer\Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: IE Addon - {1AE2F26C-8E23-4930-A68D-9E681A764001} - C:\Program Files\Internet Explorer\Toolbar\toolbar.dll
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/...cab?id=3993257
O16 - DPF: {16F2EA75-DF7F-4DA1-9F72-72EF6019AF79} - http://s92385319.onlinehome.us/bars/Sitehelper.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {DACC7F39-125D-9B9A-6F53-2F89FFE888DA} (DownloadUL Class) - http://public.searchbarcash.com/cab/038/qtasxjca.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B80A520A-974A-4A32-ADA6-BB63AF23916C}: NameServer = 207.218.192.38 207.218.192.39
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINDOWS\System32\msdhmd.dll

RogueSLG71 · 09-Jul-2004, 12:22 AM #5

thats a lot of stuff, is all of that supposed to be there? i dont get what that hjt scanned and what it means

**etaf** · 09-Jul-2004, 04:43 AM #6

n worry too much about what it means - it takes lots of experiance to work these out with regards to spyware.
there are tutorials available which go through the tool - however, even after reading those its a different story to removing the spyware etc.

if you want the tutorials i'll post them - otherwise let the secruity gurus do there stuff and at the end you should have a nice clean PC - then we can give you advice to try and keep it that way.

cybertech · 09-Jul-2004, 11:25 AM #7

Click on the link below to get lsp-fix.
Run that to fix your internet connection.

http://www.cexx.org/lspfix.htm

Check the box that says "I know what I'm doing".
Remove inetadpt.dll only that one!
Reboot and delete the file.

Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Reboot.

Click on the link below to download CWshredder.
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

Reboot.

Download Spybot http://www.spybot.us/spybotsd13.exe

Click on "Search For updates" when prompted.

Scan, click on fix problems.

Reboot.

Download AdAware http://www.lavasoftusa.com/support/download/

Before you scan with AdAware, check for updates of the reference file by clicking on "Check for updates now", connect. After the updates are installed click "Finish".

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select "Unload recognized processes during scanning". Under Cleaning Engine select "Let windows remove files in use at next reboot".

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and click Next)

Reboot and post another HJT log for review.

RogueSLG71 · 09-Jul-2004, 12:57 PM #8

this is the new HJT log, only 1/5 of the size of it was before.

and now i can open folders and close them (thank the lord cause its very hard to do things on the computer if you cant open folders)

BUT, i STILL have that RUNDLL error when i start up my computer. AND now i have TWO MORE. / means next line

1.) RUNDLL / Error loading C:\WINDOWS\System32:bahyaaf.dll / The specified module could not be found.
2.) RUNDLL / Error loading C:\WINDOWS\bs3.dll / The specified module could not be found.
3.) RUNDLL / Error loading C:\WINDOWS\bsx5.dll / The specified module could not be found.

and also when i ran ad-aware, it said it could not remove these things for some reason and i told it to remove it on the next start up (but when i started it up again it was still there, i ran ad aware again, hte list got smaller but heres the ones that havent been removed yet (they will bein the next start up...or so thats what it told me)

Ad-Aware List of things havent been removed , scheduled to on next start up:

C:\progra~1\common~1\wintools\wtoolsb.dll
files/wintools/wtoolsb.dll
c:/program file/tv media/tvm.exe
c:/program files/tv media/tvmbho.dll
c:/program files/tv media/tvmcore.dll
files/wintools/wsup.exe
c:/program files/common
files/wintools/wtoolsa.exe
files/wintools/wtoolsc.cfg
files/wintools/wtoolsd.cfg
files/wintools/wtoolsp.cfg
files/wintools/wtoolss.cfg

okay and here is the new HJT log after i did all of that:

Logfile of HijackThis v1.98.0
Scan saved at 10:47:42 AM, on 7/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\llass.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\pldkyyot.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\JOHN WANG\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WhistleHlprObj Class - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll (file missing)
O2 - BHO: (no name) - {4EBB6A47-C1B5-4649-97A7-EB0F85EB010F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: YokoMoto.Gum - {971387E1-EAA4-45F3-BA6E-A2C1857C68C2} - C:\WINDOWS\System32\Yoko.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\i5imdy79.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [aviyjyvm] C:\WINDOWS\pldkyyot.exe
O4 - HKLM\..\Run: [bahyaaf] rundll32 C:\WINDOWS\System32:bahyaaf.dll,Init 1
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\JOHN WANG\Local Settings\Temp\ms53.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {16F2EA75-DF7F-4DA1-9F72-72EF6019AF79} - http://s92385319.onlinehome.us/bars/Sitehelper.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

cybertech · 09-Jul-2004, 02:05 PM #9

I didn't expect Ad-aware or Spybot to remove it all. Let's continue...

Do this and I'll put together a list of things to do next and post back soon...

First thing to do is move hijackthis.exe into a folder, don't run it from a temporary folder or your desktop. Make a folder on your hard drive, like My Documents\hjt.

cybertech · 09-Jul-2004, 02:18 PM **#10**

I assume you have moved HJT to a folder. Very important to do that!

Run HJT again and put a check in the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: WhistleHlprObj Class - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll (file missing)
O2 - BHO: (no name) - {4EBB6A47-C1B5-4649-97A7-EB0F85EB010F} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: YokoMoto.Gum - {971387E1-EAA4-45F3-BA6E-A2C1857C68C2} - C:\WINDOWS\System32\Yoko.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\bs3.dll,DllRun
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\Updater\wupdater.exe
O4 - HKLM\..\Run: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [aviyjyvm] C:\WINDOWS\pldkyyot.exe
O4 - HKLM\..\Run: [bahyaaf] rundll32 C:\WINDOWS\System32:bahyaaf.dll,Init 1
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [lar] C:\WINDOWS\system32\llass.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\JOHN WANG\Local Settings\Temp\ms53.tmp"
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK".

Empty these folders --> C:\Documents and Settings\JOHN WANG\Local Settings\Temp
C:\documents and settings\JOHN WANG\local Settings\Temporary Internet files\content.IE\

Delete these files:
C:\WINDOWS\System32\msgked.exe
C:\WINDOWS\system32\llass.exe

and this folders:
C:\Program Files\MyWay
C:\Program Files\Toolbar
C:\Program Files\whistlesoftware
C:\Program Files\Common Files\WinTools
C:\Program Files\TV Media
C:\Program Files\Common files\Updater
C:\Program Files\Common Files\slmss

Reboot.

Go to Windows Update site and get all critical patches for your machine.

Reboot and post another log.

RogueSLG71 · 09-Jul-2004, 06:22 PM **#11**

Logfile of HijackThis v1.98.0
Scan saved at 4:14:31 PM, on 7/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera7\opera.exe
C:\Documents and Settings\JOHN WANG\My Documents\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\i5imdy79.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JOHNWA~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {16F2EA75-DF7F-4DA1-9F72-72EF6019AF79} - http://s92385319.onlinehome.us/bars/Sitehelper.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B80A520A-974A-4A32-ADA6-BB63AF23916C}: NameServer = 207.218.192.38 207.218.192.39
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

that is the new log after i did al of that in cybertech's list.

i could not find the following when i ran HJT to delete things though:
04 - HKLM\..\RunOnce: [TV Media] C:\Program File\TV Media\Tvm.exe

also since i'm not using the program utopia angel anymore could i delete this?:
O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe

i couuld not delete the file panic.txt and perflib_perfdata_14c from C:\Documents and Settings\JOHN WANG\Local Settings\Temp because it said the files were in use.

i could not find C:\WINDOWS\System32\msgked.exe

i didnt find the folders C:\Program Files\Common Files\simss and C:\Program Files\TV Media

the folder C:\Program Files\Common Files\WinTools said it was being used.
and i didnt find a C:\Program Files\Toolbar, but i saw a folder Toolbar2020 instead.

when i ran windows update i only downloaded and installed theones that said they were critical updates, should i have installed the security ones too?

another thing is, after doing that, the RUNDLL error that i initially started with is gone now finally. before i had 3 after doing a few things up there but now i have one, i have the one that says :

RUNDLL / Error loading C:\WINDOWS\bsx5.dll / The specified module could not be found.

another thing is when i turn off my computer, going to shut down. i click on shut down and this thing always pops up that says :

End Program hpcmpmgr.exe and i let it end by itself, finally when it does it says that the thing isnt responding and i have to click end by myself. sometimes i also encounter this problem with the program ctfmon.exe

RogueSLG71 · 10-Jul-2004, 12:30 PM **#12**

can anybody help me get rid of the problems i have left? my computer has improved a lot already i just want to get rid of these final errors but i dont know what else to do.

cybertech · 10-Jul-2004, 01:45 PM **#13**

Copy these instructions to notepad so you can close this browser window.

Run HJT again and put a check in the following:

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [bxsx5] RunDLL32.EXE C:\WINDOWS\bsx5.dll,DllRun
O4 - HKLM\..\Run: [YahooStock] C:\WINDOWS\i5imdy79.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JOHNWA~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Utopia Angel] C:\Utopia\Angel\Angel.exe
O16 - DPF: {16F2EA75-DF7F-4DA1-9F72-72EF6019AF79} - http://s92385319.onlinehome.us/bars/Sitehelper.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK".

Delete these files:
C:\WINDOWS\i5imdy79.exe

and this folders:
C:\Program Files\Common Files\WinTools

Empty this folder
C:\DOCUME~1\JOHNWA~1\LOCALS~1\Temp

Reboot and post anthoer log.

RogueSLG71 · 10-Jul-2004, 03:14 PM **#14**

Logfile of HijackThis v1.98.0
Scan saved at 1:07:36 PM, on 7/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\CallWave\IAM.exe
C:\Documents and Settings\JOHN WANG\My Documents\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/scri...ons/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

didnt see i5imdy79.exe, and i couldnt delete C:\DOCUME~1\JOHNWA~1\LOCALS~1\Temp because it said some program was using panic.log tat was in that folder. i couldnt find what program was using it so i couldnt stop it. anyways, the only problem left is with hpcmpmgr.exe not ending properly when i shut down my computer. do you know how i should get rid of that? sometimes i have the problem with ctfmon.exe too.

also any tips on how tokeep my computer this 'clean' woulud help, thanks a lot !!!!!

cybertech · 10-Jul-2004, 04:22 PM **#15**

Having some problems with this one?

Run HJT again and put a check in the following:

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK".

Delete this folder
C:\Program Files\Common Files\WinTools

Reboot and post another log.

How did I get infected in the first place Good free tools and advice on how to tighten your security settings.

You may need to reinstall your printer (HP device) to fix that hpcmpmgr.exe error.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard netgear network printer problem ram registry repair router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!