1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijacker problem

Discussion in 'Virus & Other Malware Removal' started by ken65, Feb 5, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. ken65

    ken65 Thread Starter

    Joined:
    Jul 2, 2004
    Messages:
    20
    Hello! I have learned much about security and removing hijackers from you and would greatly appreciate your assistance again. I have encountered something a little more difficult to remove. My internet explorer reads an error and then shuts down, and this happens frequently now when I'm online. Here is my latest Startdreck log:

    StartDreck (build 2.1.5 public BETA) - 2005-02-05 @ 10:32:11
    Platform: Windows 98 (Win 4.10.1998 )

    »Registry
    »Run Keys
    »Current User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *Win32 Explorer=C:\WINDOWS\SYSTEM\explorer32.exe
    »RunOnce
    »Default User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    *Win32 Explorer=C:\WINDOWS\SYSTEM\explorer32.exe
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    *Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    *hpsysdrv=c:\windows\system\hpsysdrv.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *Win32 Explorer=C:\WINDOWS\SYSTEM\explorer32.exe
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    *Power Scan=C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    *EncMonitor=C:\Program Files\Encompass\Monitor.exe
    »RunServicesOnce
    **zk=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
    »RunOnceEx
    »RunServicesOnceEx
    »File Associations (CR)
    *.bat
    *batfile="%1" %*
    *.com
    *comfile="%1" %*
    *.disabled
    *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
    *.exe
    *exefile="%1" %*
    *.hta
    *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
    *.htm
    *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
    *.html
    *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
    *.js
    *JSFile=C:\WINDOWS\WScript.exe "%1" %*
    *.jse
    *JSEFile=C:\WINDOWS\WScript.exe "%1" %*
    *.pif
    *piffile="%1" %*
    *.scr
    *scrfile="%1" /S
    *.txt
    *txtfile=c:\windows\NOTEPAD.EXE %1
    *.vbs
    *VBSFile=C:\WINDOWS\WScript.exe "%1" %*
    *.vbe
    *VBEFile=C:\WINDOWS\WScript.exe "%1" %*
    *.wsh
    *WSHFile=C:\WINDOWS\WScript.exe "%1" %*
    *.wsf
    *WSFFile=C:\WINDOWS\WScript.exe "%1" %*
    *.lnk
    `lnkfile= [key or value does not exist]
    »Browser Helper Objects (LM)
    *YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
    `InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    »Files
    »Autostart Folders
    »Current User
    *C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
    »Default User
    *C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
    »Local Machine
    »INI-Files
    »WIN.INI\[windows]
    *LOAD=
    *RUN=
    »SYSTEM.INI\[boot]
    *SHELL=explorer.exe
    »Text Files
    *C:\WINDOWS\msdos.sys
    *C:\msdos.sys
    *C:\config.sys
    *C:\autoexec.bat
    *C:\WINDOWS\dosstart.bat
    *C:\WINDOWS\wininit.bak
    »System/Drivers
    »Running Processes
    *FFCF7FB5=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF4801=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFEBE91=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFEC195=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE35F5=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    *FFFE1159=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    *FFF9B949=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFF9E8DD=C:\WINDOWS\RUNDLL32.EXE
    *FFFEC755=C:\WINDOWS\EXPLORER.EXE
    *FFF88891=C:\WINDOWS\TASKMON.EXE
    *FFF8FA39=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFF81B4D=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    *FFF80B1D=C:\WINDOWS\SYSTEM\QTTASK.EXE
    *FFF87D55=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    *FFFBD05D=C:\WINDOWS\RunDLL.exe
    *FFF852D1=C:\WINDOWS\CWD3DSND.EXE
    *FFFBD8BD=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
    *FFF97509=C:\MPASS\MPSERVER.EXE
    *FFFB0C69=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
    *FFFB2B3D=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    *FFF87BED=C:\MPASS\IPCSRVER.EXE
    *FFF8386D=C:\MPASS\DSMSRVR.EXE
    *FFFBAEAD=C:\WINDOWS\SYSTEM\rtdsk40w.exe
    *FFF9160D=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFA9489=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFFA4199=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFC4BC19=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
    »NT Services
    »Application specific

    Here is the Hijack This log for your reference:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:41:51 AM, on 2/5/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\CWD3DSND.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
    C:\MPASS\MPSERVER.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\MPASS\IPCSRVER.EXE
    C:\MPASS\DSMSRVR.EXE
    C:\WINDOWS\SYSTEM\rtdsk40w.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
    O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
    O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
    O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
    O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 81.211.105.20
    O15 - Trusted IP range: 81.211.105.20 (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab


    I believe the problem the on the RunServicesOnce line on startdreck. I've had hijackers in RunServices Once before:

    »RunServicesOnce
    **zk=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

    I have never seen that line before, so I tried to remove it by first running Hijack This, but the line doesn't appear there. Then I ran WinFix, restarted in safe mode, but Windows/HLPSTEA3.GIF file is not in that folder. Any ideas on how to remove that file so my explorer doesn't repeatedly shut down?

    Thank you again for your help!

    Ken
     
  2. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Whilst we're waiting for a startdreck log expert (sorry, but this is the first time I've ever even heard of it),
    you should fix these two entries with HJT, reboot into safe mode, then delete explorer32.exe

    O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
    O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe

    explorer32.exe is a virus
    http://sophos.com/virusinfo/analyses/trojstartpamn.html
    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453088696
    http://www.liutilities.com/products/wintaskspro/processlibrary/explorer32/
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.fraggle.html
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KWBOT.A&VSect=T


    I suspect HLPSTEA3.GIF to actually be a wrongly named DLL file
    You should be able to run the same Win98Fix.reg file supplied by flrman1 in your previous thread.
    That will delete then recreate the RunServicesOnce registry key.
    (follow the same instructions provided in the relevant post there).


    Note, the following 2 (missing file) entries can also be fixed with HJT:

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
     
  3. ken65

    ken65 Thread Starter

    Joined:
    Jul 2, 2004
    Messages:
    20
    Hello,

    Thank you for your help!

    I eliminated the explorer32.exe virus, but the following line still remains in my startdreck log and internet explorer continues to produce an error message and closes:

    »RunServicesOnce
    **ar=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

    This doesn't appear in the Hijack This log and doesn't appear in Windows in safe mode after I've used WinFix98. I believe it's posted as a dll under another name but I can't find what that name is. Any suggestions? Thanks again for your help!

    Ken
     
  4. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    I'm suspicious of one of your running processes

    C:\WINDOWS\SYSTEM\rtdsk40w.exe

    This process was running all the way through your previous thread as well, but no-one recommended removing it. Does anyone here know what it is? There's not much info on google about it, and I suspect it to be malware.

    EDIT

    Ah, no! Please ignore the above!
    rtdsk40w.exe is a part of Mulitpass
    http://www.sttc.net.au/drivers/Fax drivers/L90 MultiPass/L90 Driver W95-98/

    Scrap that idea then. Sorry :(

    /EDIT

    Have you still got Windows set to 'Show All Files' and NOT 'Hide Extensions for Known File Types' (c/o Folder Options > View tab)? And if so, there's still no files called HLPSTEA3 anywhere on your system, even if searching for it c/o Start > find/search?

    Did you definitely unzip and run the RunFix.reg file?
    If so, then it looks like something is recreating the entry...


    I think this could possibly be out of my league.

    Are you comfortable with manually editing the registry?

    For now, please post fresh HJT and Startdreck logs,
    and do not reboot until an expert tells you otherwise.
     
  5. ken65

    ken65 Thread Starter

    Joined:
    Jul 2, 2004
    Messages:
    20
    Hi there,

    Thanks for your prompt response. Yes, I definitely did unzip and run the RunFix.reg file. I also made sure that Windows is checked to "show all files" and "hide extension for known file types" is unchecked. I am comfortable with editing the registry, but there is no value listed under the "RunServicesOnce" registry.

    Here is the most recent HJT log and Startdreck log:

    StartDreck (build 2.1.5 public BETA) - 2005-02-06 @ 12:39:31
    Platform: Windows 98 (Win 4.10.1998 )

    »Registry
    »Run Keys
    »Current User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    »RunOnce
    »Default User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    *Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    *hpsysdrv=c:\windows\system\hpsysdrv.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    *Power Scan=C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    *EncMonitor=C:\Program Files\Encompass\Monitor.exe
    »RunServicesOnce
    **ar=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
    »RunOnceEx
    »RunServicesOnceEx
    »File Associations (CR)
    *.bat
    *batfile="%1" %*
    *.com
    *comfile="%1" %*
    *.disabled
    *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
    *.exe
    *exefile="%1" %*
    *.hta
    *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
    *.htm
    *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
    *.html
    *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
    *.js
    *JSFile=C:\WINDOWS\WScript.exe "%1" %*
    *.jse
    *JSEFile=C:\WINDOWS\WScript.exe "%1" %*
    *.pif
    *piffile="%1" %*
    *.scr
    *scrfile="%1" /S
    *.txt
    *txtfile=c:\windows\NOTEPAD.EXE %1
    *.vbs
    *VBSFile=C:\WINDOWS\WScript.exe "%1" %*
    *.vbe
    *VBEFile=C:\WINDOWS\WScript.exe "%1" %*
    *.wsh
    *WSHFile=C:\WINDOWS\WScript.exe "%1" %*
    *.wsf
    *WSFFile=C:\WINDOWS\WScript.exe "%1" %*
    *.lnk
    `lnkfile= [key or value does not exist]
    »Browser Helper Objects (LM)
    *YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
    `InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    »Files
    »Autostart Folders
    »Current User
    *C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
    »Default User
    *C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
    »Local Machine
    »INI-Files
    »WIN.INI\[windows]
    *LOAD=
    *RUN=
    »SYSTEM.INI\[boot]
    *SHELL=explorer.exe
    »Text Files
    *C:\WINDOWS\msdos.sys
    *C:\msdos.sys
    *C:\config.sys
    *C:\autoexec.bat
    *C:\WINDOWS\dosstart.bat
    *C:\WINDOWS\wininit.bak
    »System/Drivers
    »Running Processes
    *FFCF9885=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFFAF31=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFE59A1=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFE26A5=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFED2C5=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    *FFFEF14D=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    *FFF949B1=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFF968E5=C:\WINDOWS\EXPLORER.EXE
    *FFF96AC9=C:\WINDOWS\RUNDLL32.EXE
    *FFF861D5=C:\WINDOWS\TASKMON.EXE
    *FFF81E71=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFF8C095=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    *FFF89149=C:\WINDOWS\SYSTEM\QTTASK.EXE
    *FFF887F5=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    *FFF89DBD=C:\WINDOWS\RunDLL.exe
    *FFFB78C5=C:\WINDOWS\CWD3DSND.EXE
    *FFFB478D=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
    *FFFB09D9=C:\MPASS\MPSERVER.EXE
    *FFF9F8C5=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    *FFF86D69=C:\MPASS\IPCSRVER.EXE
    *FFFB31F1=C:\MPASS\DSMSRVR.EXE
    *FFFB1425=C:\WINDOWS\SYSTEM\rtdsk40w.exe
    *FFFB8EC1=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFBFFC1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFC47CBD=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
    »NT Services
    »Application specific



    Logfile of HijackThis v1.99.0
    Scan saved at 4:00:06 PM, on 2/6/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\CWD3DSND.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
    C:\MPASS\MPSERVER.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\MPASS\IPCSRVER.EXE
    C:\MPASS\DSMSRVR.EXE
    C:\WINDOWS\SYSTEM\rtdsk40w.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
    O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
    O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
    O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 81.211.105.20
    O15 - Trusted IP range: 81.211.105.20 (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

    Thank you in advance,

    Ken
     
  6. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Hmm, I was rather hoping that an admin/mod might respond.

    »RunServicesOnce
    **ar=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

    Have you tried searching the registry for RunServicesOnce and/or HLPSTEA3 ?

    It's possible that it could be under HKEY_CURRENT_USER or HKEY_USERS
    instead of HKEY_LOCAL_MACHINE

    Otherwise, I'm really not sure why Startdreck is reporting a non-existent registry entry for a non-existent file.


    Re: HJT log

    Run the scan again and fix the following entries only:

    O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE

    O15 - Trusted IP range: 81.211.105.20

    O15 - Trusted IP range: 81.211.105.20 (HKLM)



    PowerScan is associated with the ISTBar foistware
    http://www.liutilities.com/products/wintaskspro/processlibrary/powerscan/
    http://www.pestpatrol.com/PestInfo/p/powerscan.asp


    The following are all legit, but are also known useless resource hogs.
    You can safely disable these to free up some system resources.

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    (Description: HP monitoring tool. Unnecessary. Disable this to free up some system resources.)


    O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot

    (Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)


    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe

    (Description: The Encompass Monitor. This program is the Connect Direct Program. It is more trouble than it is worth and few use it.)


    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe

    (Description: Shockwave system tray icon - quite useless)


    Please install Spybot Search & Destroy
    Follow the setup instructions
    During installation you will be prompted to Install the detection updates and immunize your system.
    Do this and then run the scan.
    When done, checkmark all results and click "fix checked".

    Download and install AdawareSE
    Click "Check for updates now" first (just above the "Start" button) and install the detection updates.
    Then click "Start"
    Uncheck "search for negligible risk entries"
    Checkmark "Perform full system scan"
    Click "Next" and let the scan run.
    When done, checkmark all results (right click > select all) and click "Next".

    Note: You MUST make sure that all browser/email/explorer windows are closed before fixing with HJT, SpybotSD and Adaware.


    If it still remains, delete the "C:\Program Files\Power Scan" folder.

    Go to: Start > Run
    Type in: %temp%
    Empty the contents of the Windows\Temp folder

    Go to: Control Panel > Internet Options
    Under "Temporary Internet Files", click "Delete" > OK

    Reboot and post fresh logs.
     
  7. ken65

    ken65 Thread Starter

    Joined:
    Jul 2, 2004
    Messages:
    20
    Hello,

    I have followed the previous instructions and I still have the same problem -- I receive a message that internet explorer has encountered an error and must be shut down. Here are my latest Startdreck and HJT logs:

    StartDreck (build 2.1.5 public BETA) - 2005-02-13 @ 21:25:53
    Platform: Windows 98 (Win 4.10.1998 )

    »Registry
    »Run Keys
    »Current User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    »RunOnce
    »Default User
    »Run
    *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=c:\windows\scanregw.exe /autorun
    *TaskMonitor=c:\windows\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    *Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    *hpsysdrv=c:\windows\system\hpsysdrv.exe
    *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    *EncMonitor=C:\Program Files\Encompass\Monitor.exe
    »RunServicesOnce
    **mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
    »RunOnceEx
    »RunServicesOnceEx
    »File Associations (CR)
    *.bat
    *batfile="%1" %*
    *.com
    *comfile="%1" %*
    *.disabled
    *SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
    *.exe
    *exefile="%1" %*
    *.hta
    *htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
    *.htm
    *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
    *.html
    *htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
    *.js
    *JSFile=C:\WINDOWS\WScript.exe "%1" %*
    *.jse
    *JSEFile=C:\WINDOWS\WScript.exe "%1" %*
    *.pif
    *piffile="%1" %*
    *.scr
    *scrfile="%1" /S
    *.txt
    *txtfile=c:\windows\NOTEPAD.EXE %1
    *.vbs
    *VBSFile=C:\WINDOWS\WScript.exe "%1" %*
    *.vbe
    *VBEFile=C:\WINDOWS\WScript.exe "%1" %*
    *.wsh
    *WSHFile=C:\WINDOWS\WScript.exe "%1" %*
    *.wsf
    *WSFFile=C:\WINDOWS\WScript.exe "%1" %*
    *.lnk
    `lnkfile= [key or value does not exist]
    »Browser Helper Objects (LM)
    *YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
    `InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    »Files
    »Autostart Folders
    »Current User
    *C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
    »Default User
    *C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
    *C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
    »Local Machine
    »INI-Files
    »WIN.INI\[windows]
    *LOAD=
    *RUN=
    »SYSTEM.INI\[boot]
    *SHELL=explorer.exe
    »Text Files
    *C:\WINDOWS\msdos.sys
    *C:\msdos.sys
    *C:\config.sys
    *C:\autoexec.bat
    *C:\WINDOWS\dosstart.bat
    *C:\WINDOWS\wininit.ini
    *C:\WINDOWS\wininit.bak
    »System/Drivers
    »Running Processes
    *FFCF0D77=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF3AC3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFECC53=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFED413=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFE4FDF=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE4383=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    *FFFE60F3=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    *FFF9F4E7=C:\WINDOWS\RUNDLL32.EXE
    *FFFE61FF=C:\WINDOWS\EXPLORER.EXE
    *FFF9073B=C:\WINDOWS\TASKMON.EXE
    *FFFEFDC3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFF8CBD7=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    *FFF8797B=C:\WINDOWS\SYSTEM\QTTASK.EXE
    *FFF80233=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    *FFF819FF=C:\WINDOWS\RunDLL.exe
    *FFFBFE97=C:\WINDOWS\CWD3DSND.EXE
    *FFFBC377=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
    *FFFBC46B=C:\MPASS\MPSERVER.EXE
    *FFF85643=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    *FFF8449B=C:\MPASS\IPCSRVER.EXE
    *FFFB99DF=C:\MPASS\DSMSRVR.EXE
    *FFF805D7=C:\WINDOWS\SYSTEM\rtdsk40w.exe
    *FFF9405F=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFFB362F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFC555C3=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFC7FD27=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
    »NT Services
    »Application specific



    Logfile of HijackThis v1.99.0
    Scan saved at 9:27:31 PM, on 2/13/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\CWD3DSND.EXE
    C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
    C:\MPASS\MPSERVER.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\MPASS\IPCSRVER.EXE
    C:\MPASS\DSMSRVR.EXE
    C:\WINDOWS\SYSTEM\rtdsk40w.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
    O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
    O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
    O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 81.211.105.20
    O15 - Trusted IP range: 81.211.105.20 (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab


    I still cannot find the following entry that has never appeared before. It appears on Startdreck but not on HJT:

    **mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

    I believe it's under another another name in my system, but I haven't been able to locate it.

    Thank you for your help!

    Ken
     
  8. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Ok, I've downloaded Startdreck now... :)

    Try the following:

    In Startdreck, scroll down for and hi-lite that line

    **mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

    For now, click the "RegEdit" button in the bottom right corner.
    This will open the Registry Editor with the referenced key selected.
    In Regedit, right click this key in the left pane
    and select "Copy Key Name".
    Paste the reg key location into your next reply here.

    Then go back to Startdreck and, with the same entry still selected, click the "Disable" button.
    You could also click the "Delete" button, but we would like to know more information about that entry and file before you do so.


    Please also follow the instructions in my previous post to install Spybot Search & Destroy.
    I don't see Spybot Helper in your log. Once installed and enabled, there should be this entry in your HJT log:
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
     
  9. ken65

    ken65 Thread Starter

    Joined:
    Jul 2, 2004
    Messages:
    20
    Hi there,

    I followed your instructions and this is what the registry key reads:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    In the right column of the registry, it just reads "default" under the name column and "data not set" under the value column. There is no mention of the HLPSTEA3.gif in the value section.

    I have Spybot Search and Destroy already installed and after running the scan, the log is empty -- it reads "system clean."

    Thanks again!

    Ken
     
  10. ken65

    ken65 Thread Starter

    Joined:
    Jul 2, 2004
    Messages:
    20
    Hello,

    My computer problems seem to be deeping. Not only do I see the message "this program has performed an illegal operation and will be shut down" upon connecting with Explorer, but I have two pesky dll files that I continually have to remove in safe mode. One has the same file name every time and goes in the Windows/Temp folder, the other always has a different name each time and is in the Windows/System folder.

    I can only speculate that there is a hidden dll file somewhere in my system. The only line I can find different than previous HJT logs is this:

    **mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

    I cannot find this file in Windows. My Startdreck and HJT logs are exactly the same as below.

    Please someone assist me with this difficult problem. Thank you!

    Ken
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327044

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice