hijacker problem

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ken65

Thread Starter
Joined
Jul 2, 2004
Messages
20
Hello! I have learned much about security and removing hijackers from you and would greatly appreciate your assistance again. I have encountered something a little more difficult to remove. My internet explorer reads an error and then shuts down, and this happens frequently now when I'm online. Here is my latest Startdreck log:

StartDreck (build 2.1.5 public BETA) - 2005-02-05 @ 10:32:11
Platform: Windows 98 (Win 4.10.1998 )

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*Win32 Explorer=C:\WINDOWS\SYSTEM\explorer32.exe
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*Win32 Explorer=C:\WINDOWS\SYSTEM\explorer32.exe
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*Win32 Explorer=C:\WINDOWS\SYSTEM\explorer32.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Power Scan=C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*EncMonitor=C:\Program Files\Encompass\Monitor.exe
»RunServicesOnce
**zk=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
*.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
*.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
*.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
*.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
*FFCF7FB5=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF4801=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFEBE91=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFEC195=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE35F5=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*FFFE1159=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
*FFF9B949=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFF9E8DD=C:\WINDOWS\RUNDLL32.EXE
*FFFEC755=C:\WINDOWS\EXPLORER.EXE
*FFF88891=C:\WINDOWS\TASKMON.EXE
*FFF8FA39=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFF81B4D=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
*FFF80B1D=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFF87D55=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFFBD05D=C:\WINDOWS\RunDLL.exe
*FFF852D1=C:\WINDOWS\CWD3DSND.EXE
*FFFBD8BD=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
*FFF97509=C:\MPASS\MPSERVER.EXE
*FFFB0C69=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
*FFFB2B3D=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
*FFF87BED=C:\MPASS\IPCSRVER.EXE
*FFF8386D=C:\MPASS\DSMSRVR.EXE
*FFFBAEAD=C:\WINDOWS\SYSTEM\rtdsk40w.exe
*FFF9160D=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFA9489=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFA4199=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFC4BC19=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
»NT Services
»Application specific

Here is the Hijack This log for your reference:

Logfile of HijackThis v1.99.0
Scan saved at 10:41:51 AM, on 2/5/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\CWD3DSND.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
C:\MPASS\MPSERVER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\MPASS\IPCSRVER.EXE
C:\MPASS\DSMSRVR.EXE
C:\WINDOWS\SYSTEM\rtdsk40w.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 81.211.105.20
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab


I believe the problem the on the RunServicesOnce line on startdreck. I've had hijackers in RunServices Once before:

»RunServicesOnce
**zk=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

I have never seen that line before, so I tried to remove it by first running Hijack This, but the line doesn't appear there. Then I ran WinFix, restarted in safe mode, but Windows/HLPSTEA3.GIF file is not in that folder. Any ideas on how to remove that file so my explorer doesn't repeatedly shut down?

Thank you again for your help!

Ken
 
Joined
Sep 16, 2002
Messages
1,157
Whilst we're waiting for a startdreck log expert (sorry, but this is the first time I've ever even heard of it),
you should fix these two entries with HJT, reboot into safe mode, then delete explorer32.exe

O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\SYSTEM\explorer32.exe

explorer32.exe is a virus
http://sophos.com/virusinfo/analyses/trojstartpamn.html
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453088696
http://www.liutilities.com/products/wintaskspro/processlibrary/explorer32/
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.fraggle.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KWBOT.A&VSect=T


I suspect HLPSTEA3.GIF to actually be a wrongly named DLL file
You should be able to run the same Win98Fix.reg file supplied by flrman1 in your previous thread.
That will delete then recreate the RunServicesOnce registry key.
(follow the same instructions provided in the relevant post there).


Note, the following 2 (missing file) entries can also be fixed with HJT:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
 

ken65

Thread Starter
Joined
Jul 2, 2004
Messages
20
Hello,

Thank you for your help!

I eliminated the explorer32.exe virus, but the following line still remains in my startdreck log and internet explorer continues to produce an error message and closes:

»RunServicesOnce
**ar=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

This doesn't appear in the Hijack This log and doesn't appear in Windows in safe mode after I've used WinFix98. I believe it's posted as a dll under another name but I can't find what that name is. Any suggestions? Thanks again for your help!

Ken
 
Joined
Sep 16, 2002
Messages
1,157
I'm suspicious of one of your running processes

C:\WINDOWS\SYSTEM\rtdsk40w.exe

This process was running all the way through your previous thread as well, but no-one recommended removing it. Does anyone here know what it is? There's not much info on google about it, and I suspect it to be malware.

EDIT

Ah, no! Please ignore the above!
rtdsk40w.exe is a part of Mulitpass
http://www.sttc.net.au/drivers/Fax drivers/L90 MultiPass/L90 Driver W95-98/

Scrap that idea then. Sorry :(

/EDIT

Have you still got Windows set to 'Show All Files' and NOT 'Hide Extensions for Known File Types' (c/o Folder Options > View tab)? And if so, there's still no files called HLPSTEA3 anywhere on your system, even if searching for it c/o Start > find/search?

Did you definitely unzip and run the RunFix.reg file?
If so, then it looks like something is recreating the entry...


I think this could possibly be out of my league.

Are you comfortable with manually editing the registry?

For now, please post fresh HJT and Startdreck logs,
and do not reboot until an expert tells you otherwise.
 

ken65

Thread Starter
Joined
Jul 2, 2004
Messages
20
Hi there,

Thanks for your prompt response. Yes, I definitely did unzip and run the RunFix.reg file. I also made sure that Windows is checked to "show all files" and "hide extension for known file types" is unchecked. I am comfortable with editing the registry, but there is no value listed under the "RunServicesOnce" registry.

Here is the most recent HJT log and Startdreck log:

StartDreck (build 2.1.5 public BETA) - 2005-02-06 @ 12:39:31
Platform: Windows 98 (Win 4.10.1998 )

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*Power Scan=C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*EncMonitor=C:\Program Files\Encompass\Monitor.exe
»RunServicesOnce
**ar=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
*.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
*.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
*.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
*.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
*FFCF9885=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFAF31=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFE59A1=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE26A5=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFED2C5=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*FFFEF14D=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
*FFF949B1=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFF968E5=C:\WINDOWS\EXPLORER.EXE
*FFF96AC9=C:\WINDOWS\RUNDLL32.EXE
*FFF861D5=C:\WINDOWS\TASKMON.EXE
*FFF81E71=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFF8C095=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
*FFF89149=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFF887F5=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFF89DBD=C:\WINDOWS\RunDLL.exe
*FFFB78C5=C:\WINDOWS\CWD3DSND.EXE
*FFFB478D=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
*FFFB09D9=C:\MPASS\MPSERVER.EXE
*FFF9F8C5=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
*FFF86D69=C:\MPASS\IPCSRVER.EXE
*FFFB31F1=C:\MPASS\DSMSRVR.EXE
*FFFB1425=C:\WINDOWS\SYSTEM\rtdsk40w.exe
*FFFB8EC1=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFBFFC1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFC47CBD=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
»NT Services
»Application specific



Logfile of HijackThis v1.99.0
Scan saved at 4:00:06 PM, on 2/6/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\CWD3DSND.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
C:\MPASS\MPSERVER.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\MPASS\IPCSRVER.EXE
C:\MPASS\DSMSRVR.EXE
C:\WINDOWS\SYSTEM\rtdsk40w.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 81.211.105.20
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab

Thank you in advance,

Ken
 
Joined
Sep 16, 2002
Messages
1,157
Hmm, I was rather hoping that an admin/mod might respond.

»RunServicesOnce
**ar=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

Have you tried searching the registry for RunServicesOnce and/or HLPSTEA3 ?

It's possible that it could be under HKEY_CURRENT_USER or HKEY_USERS
instead of HKEY_LOCAL_MACHINE

Otherwise, I'm really not sure why Startdreck is reporting a non-existent registry entry for a non-existent file.


Re: HJT log

Run the scan again and fix the following entries only:

O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE

O15 - Trusted IP range: 81.211.105.20

O15 - Trusted IP range: 81.211.105.20 (HKLM)



PowerScan is associated with the ISTBar foistware
http://www.liutilities.com/products/wintaskspro/processlibrary/powerscan/
http://www.pestpatrol.com/PestInfo/p/powerscan.asp


The following are all legit, but are also known useless resource hogs.
You can safely disable these to free up some system resources.

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

(Description: HP monitoring tool. Unnecessary. Disable this to free up some system resources.)


O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot

(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)


O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe

(Description: The Encompass Monitor. This program is the Connect Direct Program. It is more trouble than it is worth and few use it.)


O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe

(Description: Shockwave system tray icon - quite useless)


Please install Spybot Search & Destroy
Follow the setup instructions
During installation you will be prompted to Install the detection updates and immunize your system.
Do this and then run the scan.
When done, checkmark all results and click "fix checked".

Download and install AdawareSE
Click "Check for updates now" first (just above the "Start" button) and install the detection updates.
Then click "Start"
Uncheck "search for negligible risk entries"
Checkmark "Perform full system scan"
Click "Next" and let the scan run.
When done, checkmark all results (right click > select all) and click "Next".

Note: You MUST make sure that all browser/email/explorer windows are closed before fixing with HJT, SpybotSD and Adaware.


If it still remains, delete the "C:\Program Files\Power Scan" folder.

Go to: Start > Run
Type in: %temp%
Empty the contents of the Windows\Temp folder

Go to: Control Panel > Internet Options
Under "Temporary Internet Files", click "Delete" > OK

Reboot and post fresh logs.
 

ken65

Thread Starter
Joined
Jul 2, 2004
Messages
20
Hello,

I have followed the previous instructions and I still have the same problem -- I receive a message that internet explorer has encountered an error and must be shut down. Here are my latest Startdreck and HJT logs:

StartDreck (build 2.1.5 public BETA) - 2005-02-13 @ 21:25:53
Platform: Windows 98 (Win 4.10.1998 )

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*VsecomrEXE=C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Vshwin32EXE=C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
*EncMonitor=C:\Program Files\Encompass\Monitor.exe
»RunServicesOnce
**mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
*.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
*.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
*.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
*.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Shockwave Init.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\TextBridge Instant Access OCR.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\MultiPASS Background.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Encoder Agent.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
*FFCF0D77=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF3AC3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFECC53=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFED413=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE4FDF=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE4383=C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
*FFFE60F3=C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
*FFF9F4E7=C:\WINDOWS\RUNDLL32.EXE
*FFFE61FF=C:\WINDOWS\EXPLORER.EXE
*FFF9073B=C:\WINDOWS\TASKMON.EXE
*FFFEFDC3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFF8CBD7=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
*FFF8797B=C:\WINDOWS\SYSTEM\QTTASK.EXE
*FFF80233=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
*FFF819FF=C:\WINDOWS\RunDLL.exe
*FFFBFE97=C:\WINDOWS\CWD3DSND.EXE
*FFFBC377=C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
*FFFBC46B=C:\MPASS\MPSERVER.EXE
*FFF85643=C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
*FFF8449B=C:\MPASS\IPCSRVER.EXE
*FFFB99DF=C:\MPASS\DSMSRVR.EXE
*FFF805D7=C:\WINDOWS\SYSTEM\rtdsk40w.exe
*FFF9405F=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFB362F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFC555C3=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFC7FD27=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
»NT Services
»Application specific



Logfile of HijackThis v1.99.0
Scan saved at 9:27:31 PM, on 2/13/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\CWD3DSND.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE
C:\MPASS\MPSERVER.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\MPASS\IPCSRVER.EXE
C:\MPASS\DSMSRVR.EXE
C:\WINDOWS\SYSTEM\rtdsk40w.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\shockwave\swinit.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: MultiPASS Background.lnk = C:\MPASS\MPSERVER.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\plugins\npvdo32.dll
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 81.211.105.20
O15 - Trusted IP range: 81.211.105.20 (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab


I still cannot find the following entry that has never appeared before. It appears on Startdreck but not on HJT:

**mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

I believe it's under another another name in my system, but I haven't been able to locate it.

Thank you for your help!

Ken
 
Joined
Sep 16, 2002
Messages
1,157
Ok, I've downloaded Startdreck now... :)

Try the following:

In Startdreck, scroll down for and hi-lite that line

**mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

For now, click the "RegEdit" button in the bottom right corner.
This will open the Registry Editor with the referenced key selected.
In Regedit, right click this key in the left pane
and select "Copy Key Name".
Paste the reg key location into your next reply here.

Then go back to Startdreck and, with the same entry still selected, click the "Disable" button.
You could also click the "Delete" button, but we would like to know more information about that entry and file before you do so.


Please also follow the instructions in my previous post to install Spybot Search & Destroy.
I don't see Spybot Helper in your log. Once installed and enabled, there should be this entry in your HJT log:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
 

ken65

Thread Starter
Joined
Jul 2, 2004
Messages
20
Hi there,

I followed your instructions and this is what the registry key reads:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

In the right column of the registry, it just reads "default" under the name column and "data not set" under the value column. There is no mention of the HLPSTEA3.gif in the value section.

I have Spybot Search and Destroy already installed and after running the scan, the log is empty -- it reads "system clean."

Thanks again!

Ken
 

ken65

Thread Starter
Joined
Jul 2, 2004
Messages
20
Hello,

My computer problems seem to be deeping. Not only do I see the message "this program has performed an illegal operation and will be shut down" upon connecting with Explorer, but I have two pesky dll files that I continually have to remove in safe mode. One has the same file name every time and goes in the Windows/Temp folder, the other always has a different name each time and is in the Windows/System folder.

I can only speculate that there is a hidden dll file somewhere in my system. The only line I can find different than previous HJT logs is this:

**mbfw=rundll32 C:\WINDOWS\HLPSTEA3.GIF,DllGetClassObject

I cannot find this file in Windows. My Startdreck and HJT logs are exactly the same as below.

Please someone assist me with this difficult problem. Thank you!

Ken
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top