Iexplorer errors..HELP!

[sighlentex]

I use my friends computer often, and just recently he's been having an error message when he first boots the computer. The latest error he's been getting is "Iexplorer caused an error in 0.DLL" or something like that. Please help, he thinks I did something to his machine, and I really didn't. Here's the HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:54:55 PM, on 4/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSREG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PALTALK\PNETAWARE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PALTALK\PALTALK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4177199074
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab

 

[john1]

look up that error message on google and see what it says ...

 

[sighlentex]

funny you suggested that, John, as that's what brought me to these forums.

any other suggestions? i've run a windows update, and run Spybot S&D, and the IE is still messing up.

i get two popups to start program: "Click the program you want to use to open 'System\'.

i'm thinking about pulling all my hair out...a strand at a time

 

[john1]

Whats the exact wording of the error message ?
You could try an I.E.repair, you never know that might do it ...

 

[VirtualMe]

I think you have an infection or reminats of one left behind. (Troj/Sdbot-FN)

First put Hijack This in its on folder. Don't leave it in the temp folder.

Then close all browser windows and run Hijack This.

Put a check by the two below in bold and click Fix Checked

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE

F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE



Then reboot and search for MSREG32.EXE and 0.DLL and delete them if found.


Then run a online virus scan at one of these.

http://www3.ca.com/virusinfo/virusscan.aspx

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/

http://www.ravantivirus.com/scan/

Then your friend needs to get a virus program and spyware removal programs, Grisoft AVG Free Download , Ad-aware 6, and Spybot Download, to help protect against viruses and other baddies.

Grisoft AVG Free Download ,
AVG Update Download Options tip

Ad-aware 6
Ad-Aware 6: Reference Guide by Winchester73

Spybot Instructions and Download

 

[sighlentex]

Thanks VirtualMe...i think You might be right. I ran HJT and deleted the two that You said. I also deleted 0.dll (and could not find msreg32.exe). I rebooted the pc and had the same problem. 0.dll replicated and is still there. I deleted it twice, and even attempted to rename it, but it is self-preserving. Also of interest, is the fact that when i reboot the pc and run HJT the line :
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
keeps reappearing.
(i'm also finding a file called 1.mzp that is unfamiliar to me)

Please help! This is a bad booger, and it really needs to go away!! Thanks in advance.

 

[sighlentex]

Ok...just a bit more REALLY IMPORTANT information..

it's Backdoor Assassin or Backdoor Beast that this computer is infected with. I found that out with Housecalls...but it says that it's uncleanable. Now what?

 

[VirtualMe]

Was the uncleanable files in System Restore?

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

If so Disabling Windows Me System Restore will purge the restore points and get rid of the uncleanable files, if that is where it is.

If not, can you post the Anti-virus scan log, so we can see where it is located?

Post a new Hijack This log also.

You may need to hit Ctrl+Alt+Del and End Task on MSREG32.EXE from running if it shows there.

Then have Hijack This remove F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE

and 1.mzp

Also PalTalk is considered as adware by Pest Patrol, so you may want to see about uninstalling it.


I'm going to be away from the computer for several hours, so you may want to ask flrman1, Rollin' Rog, or one of the others over in the Security forum to look at the post you have started here.