Help with HSA etc. on Win98 Please
Hello,
Have issues on my PC with this program and it's fellow cohorts Search Extender and Shopping Wizard.
As i'm running Win98 cannot find a guide to remove this.
Have followed instructions for Win98 users and have done the following -
Complete Norton Antivirus scan
Ad-Aware 6 scan
HijackThis scan.
Here is the HijackThis scan
Logfile of HijackThis v1.99.1
Scan saved at 10:01:36, on 20/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\MSRU32.EXE
C:\WINDOWS\SYSTEM\JAVALU.EXE
C:\WINDOWS\SYSTEM\SYSMJ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
C:\WINDOWS\SYSMD32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSMJ32.EXE
C:\WINDOWS\MSRU32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {C66A4520-5AC2-195A-F475-8DF6E2EFFA79} - C:\WINDOWS\SYSTEM\JAVACJ32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O7 "EPUSB1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [E-Prime Activation Manager] C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
O4 - HKLM\..\Run: [SYSMD32.EXE] C:\WINDOWS\SYSMD32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MSRU32.EXE] C:\WINDOWS\MSRU32.EXE /s
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE /s
O4 - HKLM\..\RunServices: [SYSMJ32.EXE] C:\WINDOWS\SYSTEM\SYSMJ32.EXE /s
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /M "Stylus CX6600" /EF "HKCU"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
I know all R1's and R0 are bad. This is a reloader and I can't find the exe to delete.
The mrldy.dll is clearly bad (randon name)
I'm not sure if these are bad MSRU32.EXE, SYSMJ32.EXE,JAVALU.EXE, but I really need help on this.
Also Norton Antivirus AutoProtect is always turned to 'off' even when switched back to 'on'. I assume this is due to HSA.
Any help would be great - thanks!!!
Bradley Allen
Have issues on my PC with this program and it's fellow cohorts Search Extender and Shopping Wizard.
As i'm running Win98 cannot find a guide to remove this.
Have followed instructions for Win98 users and have done the following -
Complete Norton Antivirus scan
Ad-Aware 6 scan
HijackThis scan.
Here is the HijackThis scan
Logfile of HijackThis v1.99.1
Scan saved at 10:01:36, on 20/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\MSRU32.EXE
C:\WINDOWS\SYSTEM\JAVALU.EXE
C:\WINDOWS\SYSTEM\SYSMJ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
C:\WINDOWS\SYSMD32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SYSMJ32.EXE
C:\WINDOWS\MSRU32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {C66A4520-5AC2-195A-F475-8DF6E2EFFA79} - C:\WINDOWS\SYSTEM\JAVACJ32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O7 "EPUSB1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [E-Prime Activation Manager] C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
O4 - HKLM\..\Run: [SYSMD32.EXE] C:\WINDOWS\SYSMD32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MSRU32.EXE] C:\WINDOWS\MSRU32.EXE /s
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE /s
O4 - HKLM\..\RunServices: [SYSMJ32.EXE] C:\WINDOWS\SYSTEM\SYSMJ32.EXE /s
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /M "Stylus CX6600" /EF "HKCU"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
I know all R1's and R0 are bad. This is a reloader and I can't find the exe to delete.
The mrldy.dll is clearly bad (randon name)
I'm not sure if these are bad MSRU32.EXE, SYSMJ32.EXE,JAVALU.EXE, but I really need help on this.
Also Norton Antivirus AutoProtect is always turned to 'off' even when switched back to 'on'. I assume this is due to HSA.
Any help would be great - thanks!!!
Bradley Allen
0
This discussion has been closed.
Comments
Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.
Step 1
Download CWShredder but don't run it yet.
Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.
Step 3
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 5
Make sure that you can VIEW ALL HIDDEN FILES.
Step 6
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mrldy.dll/sp.html#34321
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C66A4520-5AC2-195A-F475-8DF6E2EFFA79} - C:\WINDOWS\SYSTEM\JAVACJ32.DLL
O4 - HKLM\..\Run: [SYSMD32.EXE] C:\WINDOWS\SYSMD32.EXE
O4 - HKLM\..\RunServices: [MSRU32.EXE] C:\WINDOWS\MSRU32.EXE /s
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE /s
O4 - HKLM\..\RunServices: [SYSMJ32.EXE] C:\WINDOWS\SYSTEM\SYSMJ32.EXE /s
Step 7
Reboot your computer into SAFE MODE
Step 8
Now run CWShredder, making sure to click "Fix".
Step 9
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\SYSTEM\JAVACJ32.DLL
C:\WINDOWS\SYSMD32.EXE
C:\WINDOWS\MSRU32.EXE
C:\WINDOWS\SYSTEM\JAVALU.EXE
C:\WINDOWS\SYSTEM\SYSMJ32.EXE
C:\WINDOWS\system\mrldy.dll
Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 11
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
Thanks for your help!
Have followed your steps however still have a problem, this has not cured my pc though
Here is the HijackThis scan result once completed all your steps
Logfile of HijackThis v1.99.1
Scan saved at 00:21:57, on 24/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {9933A143-1ACE-DB34-FC88-6D3E896DEB62} - C:\WINDOWS\SYSTEM\IEMV.DLL
O2 - BHO: Class - {92777851-38C7-EE13-324F-F994288EAE7B} - C:\WINDOWS\SYSTEM\D3CV32.DLL
O2 - BHO: Class - {DD33C16A-8227-DD45-058A-1DF494007B24} - C:\WINDOWS\SYSVM32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O7 "EPUSB1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [E-Prime Activation Manager] C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
O4 - HKLM\..\Run: [SYSMD32.EXE] C:\WINDOWS\SYSMD32.EXE
O4 - HKLM\..\Run: [SYSXW32.EXE] C:\WINDOWS\SYSTEM\SYSXW32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MSRU32.EXE] C:\WINDOWS\MSRU32.EXE /s
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE /s
O4 - HKLM\..\RunServices: [SYSMJ32.EXE] C:\WINDOWS\SYSTEM\SYSMJ32.EXE /s
O4 - HKLM\..\RunServices: [IEDW32.EXE] C:\WINDOWS\IEDW32.EXE /s
O4 - HKLM\..\RunServices: [CRHC.EXE] C:\WINDOWS\CRHC.EXE /s
O4 - HKLM\..\RunServices: [JAVAAW32.EXE] C:\WINDOWS\JAVAAW32.EXE /s
O4 - HKLM\..\RunServices: [ATLHW.EXE] C:\WINDOWS\SYSTEM\ATLHW.EXE /s
O4 - HKLM\..\RunServices: [JAVAPZ.EXE] C:\WINDOWS\JAVAPZ.EXE /s
O4 - HKLM\..\RunServices: [APPJK.EXE] C:\WINDOWS\SYSTEM\APPJK.EXE /s
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /M "Stylus CX6600" /EF "HKCU"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
Pretty much all the '04' entries look bad to my untrained eye. Looks like a reloader but I wonder which exe file is doing this? Perhaps its the :
MSGSRV32.EXE file as it exists now and before
Here is the About Buster result
Scanned at: 00:09:08 on: 24/05/05
-- Scan 1
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Yes I did hard boot my pc while doing this.
I hope you can spend a little more time to help me with this! I would be very much appreciated
Many thanks!
Bradley Allen
You have an HSA infection. The filenames on this type of infection can change each time you reboot your computer or use Internet Explorer. With that in mind, some of these filenames may be different. But the pattern is the same and you may be able to determine the correct files to remove. The sooner you perform this fix, the higher it's chances for success.
Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.
Please print out these instructions.
Step 1
Download CWShredder but don't run it yet.
Step 2
Download AboutBuster
Unzip it to your desktop but don't run it yet.
Step 3
Download Ad-aware SE 1.05
Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.
Step 5
Make sure that you can VIEW ALL HIDDEN FILES.
Step 6
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {9933A143-1ACE-DB34-FC88-6D3E896DEB62} - C:\WINDOWS\SYSTEM\IEMV.DLL
O2 - BHO: Class - {92777851-38C7-EE13-324F-F994288EAE7B} - C:\WINDOWS\SYSTEM\D3CV32.DLL
O2 - BHO: Class - {DD33C16A-8227-DD45-058A-1DF494007B24} - C:\WINDOWS\SYSVM32.DLL
O4 - HKLM\..\Run: [SYSMD32.EXE] C:\WINDOWS\SYSMD32.EXE
O4 - HKLM\..\Run: [SYSXW32.EXE] C:\WINDOWS\SYSTEM\SYSXW32.EXE
O4 - HKLM\..\RunServices: [MSRU32.EXE] C:\WINDOWS\MSRU32.EXE /s
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE /s
O4 - HKLM\..\RunServices: [SYSMJ32.EXE] C:\WINDOWS\SYSTEM\SYSMJ32.EXE /s
O4 - HKLM\..\RunServices: [IEDW32.EXE] C:\WINDOWS\IEDW32.EXE /s
O4 - HKLM\..\RunServices: [CRHC.EXE] C:\WINDOWS\CRHC.EXE /s
O4 - HKLM\..\RunServices: [JAVAAW32.EXE] C:\WINDOWS\JAVAAW32.EXE /s
O4 - HKLM\..\RunServices: [ATLHW.EXE] C:\WINDOWS\SYSTEM\ATLHW.EXE /s
O4 - HKLM\..\RunServices: [JAVAPZ.EXE] C:\WINDOWS\JAVAPZ.EXE /s
O4 - HKLM\..\RunServices: [APPJK.EXE] C:\WINDOWS\SYSTEM\APPJK.EXE /s
Step 7
Reboot your computer into SAFE MODE
Step 8
Now run CWShredder, making sure to click "Fix".
Step 9
Then delete these files or directories (Do not be concerned if they do not exist)
C:\WINDOWS\SYSTEM\IEMV.DLL
C:\WINDOWS\SYSTEM\D3CV32.DLL
C:\WINDOWS\SYSVM32.DLL
C:\WINDOWS\SYSMD32.EXE
C:\WINDOWS\SYSTEM\SYSXW32.EXE
C:\WINDOWS\MSRU32.EXE
C:\WINDOWS\SYSTEM\JAVALU.EXE
C:\WINDOWS\SYSTEM\SYSMJ32.EXE
C:\WINDOWS\IEDW32.EXE
C:\WINDOWS\CRHC.EXE
C:\WINDOWS\JAVAAW32.EXE
C:\WINDOWS\SYSTEM\ATLHW.EXE
C:\WINDOWS\JAVAPZ.EXE
C:\WINDOWS\SYSTEM\APPJK.EXE
Step 10
Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.
Step 11
Run a full scan with Adaware.
Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
Thanks for going through my details again.
Here are the two logs for Hijack and About:B
Logfile of HijackThis v1.99.1
Scan saved at 11:10:49, on 25/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\CREU32.EXE
C:\WINDOWS\JAVAOY.EXE
C:\WINDOWS\SYSTEM\APPSJ32.EXE
C:\WINDOWS\SYSTEM\D3WL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
C:\WINDOWS\SYSTEM\SDKKF.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CREU32.EXE
C:\WINDOWS\JAVAOY.EXE
C:\WINDOWS\SYSTEM\APPSJ32.EXE
C:\WINDOWS\SYSTEM\APIEV32.EXE
C:\WINDOWS\DESKTOP\ANTIVIRUS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fxjxr.dll/sp.html#34321
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Class - {DD33C16A-8227-DD45-058A-1DF494007B24} - C:\WINDOWS\SYSVM32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O7 "EPUSB1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [E-Prime Activation Manager] C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
O4 - HKLM\..\Run: [SYSMD32.EXE] C:\WINDOWS\SYSMD32.EXE
O4 - HKLM\..\Run: [SYSXW32.EXE] C:\WINDOWS\SYSTEM\SYSXW32.EXE
O4 - HKLM\..\Run: [SDKKF.EXE] C:\WINDOWS\SYSTEM\SDKKF.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [MSRU32.EXE] C:\WINDOWS\MSRU32.EXE /s
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE /s
O4 - HKLM\..\RunServices: [SYSMJ32.EXE] C:\WINDOWS\SYSTEM\SYSMJ32.EXE /s
O4 - HKLM\..\RunServices: [IEDW32.EXE] C:\WINDOWS\IEDW32.EXE /s
O4 - HKLM\..\RunServices: [CRHC.EXE] C:\WINDOWS\CRHC.EXE /s
O4 - HKLM\..\RunServices: [JAVAAW32.EXE] C:\WINDOWS\JAVAAW32.EXE /s
O4 - HKLM\..\RunServices: [ATLHW.EXE] C:\WINDOWS\SYSTEM\ATLHW.EXE /s
O4 - HKLM\..\RunServices: [JAVAPZ.EXE] C:\WINDOWS\JAVAPZ.EXE /s
O4 - HKLM\..\RunServices: [APPJK.EXE] C:\WINDOWS\SYSTEM\APPJK.EXE /s
O4 - HKLM\..\RunServices: [CREU32.EXE] C:\WINDOWS\SYSTEM\CREU32.EXE /s
O4 - HKLM\..\RunServices: [JAVAOY.EXE] C:\WINDOWS\JAVAOY.EXE /s
O4 - HKLM\..\RunServices: [APPSJ32.EXE] C:\WINDOWS\SYSTEM\APPSJ32.EXE /s
O4 - HKLM\..\RunServices: [D3WL32.EXE] C:\WINDOWS\SYSTEM\D3WL32.EXE /s
O4 - HKLM\..\RunServices: [APIEV32.EXE] C:\WINDOWS\SYSTEM\APIEV32.EXE /s
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /M "Stylus CX6600" /EF "HKCU"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
Scanned at: 11:48:27 on: 25/05/05
-- Scan 1
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
There is still a dataminer file as a cookie in temp Inet files that I cannot delete and neither can adaware.
Anyway here are the details - I am very appreciate of your help - if I had your knowledge I would help others too
Many thanks!
Bradley Allen
p.s. I did a hard boot of my PC, I have read that when I use the start menu to turn off the PC this activates the virus again, not sure if this is true
Here is the correct hijackthis log which is most recent (today)
Logfile of HijackThis v1.99.1
Scan saved at 12:20:12, on 25/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
C:\WINDOWS\SYSTEM\E_S5I0E1.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\ANTIVIRUS\HIJACKTHIS.EXE
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P26 "EPSON Stylus CX6600 Series" /O7 "EPUSB1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [E-Prime Activation Manager] C:\PROGRAM FILES\PST\E-PRIME\PROGRAM\ACTIVATION.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [EPSON Stylus CX6600 Se (Copy 2)] C:\WINDOWS\SYSTEM\E_S5I0E1.EXE /P31 "EPSON Stylus CX6600 Se (Copy 2)" /M "Stylus CX6600" /EF "HKCU"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
Sorry about that
Bradley Allen
R3 - Default URLSearchHook is missing
A hard boot is not necessary unless specifically requested by the person helping you. Are you having any other problems?
HijackThis has successfully deleted that R3 entry.
Did a normal restart using the Start menu and no issues have arisen. Also, Internet default address is now google which is what we use.
So it's looking pretty good now.
Will keep you posted but
THANKS!!!
For your assistance and time
Kind regards
Bradley Allen
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
Thanks for that info, have actioned from your list.
HSA has definately been deleted - thanks again for your help and time and effort, has saved me a lot of trouble.
Many thanks!
Bradley Allen