Tip: Run a free scan for common Windows errors ad

re: Evil "lexplore" virus hijacked me Thursday, June 3, 2004 at 11:59 pm Posted by Ms. Eagle (33507 messages posted) I know, it's terrible isn't it..... Do these things. Second thought is a hijacker, and it's also an ActiveX install, if I recall. Clear out your TIF and other temp files. Internet Options - General tab. Delete temporary internet files, and choose to 'delete all Offline content'. In Settings, set the size of your TIF folder between 5 - 10 MB. Also, under General tab - choose Settings - View Objects. In the window that opens, choose View Details on the toolbar. If any of those ActiveX Controls are marked "unknown" or "damaged", remove them. Remove any you don't recognize. Start - Find - Files or folders - in the named box, type: *.tmp and choose Edit - select all - File - delete. Empty the contents of the C:\Windows\temp folder and C:\temp folder, if you have one. Empty Recycle bin. Download 'Hijack This' Unzip 'HT' into a "Folder", any folder but a temp folder. It creates backups. Close all browser windows and run it offline. Double click the .Exe file to run it. Choose Scan. It'll display a list.Most of the entries listed are necessary or required entries. Don't fix anything, until you know which items to fix. HijackThisTutorial After the scan is finished, the Scan button will turn into Save Log. Press that and copy/paste the contents in a post. Before posting your message, choose this Option: Check this box to preserve your spacing, etc.... I suggest installing SpywareBlaster for protection from further problems. Check for and download updates after installing it, and frequently thereafter. Enable protection for Restricted sites, as well as IE: JavaCoolSoftware.com [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 4:26 am Posted by Carl S. (426 messages posted) You also could download, update & run Spybot Search & Destroy. Oh, and yes, it is FREE. There is a new version out just recently. You can get it here: http://www.safer-networking.org/ On Thursday, June 3, 2004 at 10:30 pm, gammagirl66 wrote: >Had a PIL song in my head the other day, went to look up the lyrics. Before I knew >it, something weird happened on the site. When I was finally able to click out, >there were three new icons on my desktop - one said it was Lycos, another said "2nd >Thought" the third said "Casino - $200...". When I control alt delete, the program >calls itself "lexplore". What the virus wants to do is continuously launch my opening >Explorer window - six, seven, eight windows go. It seems to have a time-release >launcher (every five minutes or so) as well as something that will launch the same >explorer window when I'm working from Netscape and go from one page to another - >it'll launch every time I go to a new window. Sometimes the lower bars will say >it's downloading something, which I find horrifying. Ad-Aware has taken out some >300 objects, many of them contain the word "malware". I've tried add/remove programs, >tried to locate anything from those dates in my files and delete - am still plagued. > Where can I go to get (hopefully free) software to rout out this crap? AND WHAT >THE HELL IS WRONG WITH PEOPLE THAT THEY DO THIS SORT OF THING??? Would appreciate >any help. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 2:32 pm Posted by David (6 messages posted) I actually had something similar to this - I don't think it was related to a recent thread that I posted about the cidj.dll though. After being hit with a Downloader.Trojan alert from and HTML file which then loaded a CHM file (which took advantage of the MHTMLRedir.Exploit) I tried to remove the files through quarantine and deletion. I had to manually remove most of the files. But a wierd side effect was that later, when I attempted to start Windows Media Player, it would hang. I used Ctrl Alt Del like you, and it showed the same thing. After removing most spy/malware that had accumulated since my last checkup and reinstalling Media Player 9 Series, the problem was solved. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 6:16 pm Posted by Ms. Eagle (33507 messages posted) A lot of people have similar problems, but how's your story helping the poster? [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 6:26 pm Posted by David (6 messages posted) While I don't think it directly helped the poster 100%, I was simply wanting to express my own experience, rather than posting another thread saying the same thing but with the side effect being the only difference. In doing so, perhaps someone searching the forum for a problem similar to their own (rather than just posting another thread) will notice my comment, and perhaps find equal success in the steps I listed. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 7:36 pm Posted by geehawgirl (47 messages posted) Now, now...it does help me. It's nice to hear from others and see how they solved it, it makes me feel like less of a gobshite, and I feel a little less alone in my struggles. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 7:50 pm Posted by geehawgirl (47 messages posted) P.S. Hey everybody --- Spybot fixed me!!! Hooraye! Thank you for your input and for helping out - I love that I have somewhere to come when I'm confounded by my computer. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 11:23 pm Posted by Ms. Eagle (33507 messages posted) Good deal! Be sure to install SpywareBlaster, if you haven't. It will save a lot of problems and prevent bad installs, in the first place. The newer hijackings and so on are getting more complex to fix. Anyway, you were right. It often helps just to hear someone else's experience, so my apologies to both you and David. That was good information he posted on the forum earlier, in another thread also. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 4, 2004 at 11:30 pm Posted by Ms. Eagle (33507 messages posted) David, I apologize, and my comment was unwarranted. Thank you for not lashing out at me! :) That's true; it's good to share information and tell about your own experiences. Besides, your post was excellent. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Sunday, June 6, 2004 at 9:38 am Posted by geehawgirl (47 messages posted) Y'know Carol, I thought I was done with this @#$%^ but I've run into more problems. When I run Spybot it hangs at 643/3594. Following Spybot's instructions I tried to do the advanced mode exclude C2.lop but it does not load anything onto the screen for me to check to exclude. Spybot's forum is down for file updates today so I can't post a query. Additionally, though I've altered my temp files to only accept 8MB I find I am unable to delete my temp files: When I run the *.tmp search it comes up with over 10,000 and says that I have to refine my search. When I try to select all and delete what's on my screen it goes to an hourglass icon and never comes back. When I try to find the *.tmp files by date and take them on incrementally I reach a point where it says there's an error and it cannot delete files. Meanwhile my browser is continually self-launching to Explorer even though I'm using Netscape as a bypass. I have Spywarebaster installed but I don't think it's doing anything, and I'm not sure that I can do HijackThis without having fully run Spybot successfully. I'm at my wit's end. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Sunday, June 6, 2004 at 9:04 pm Posted by David (6 messages posted) Gamma, what luck did you have removing any suspicious or corrupt Objects? In her initial response post (Thursday, June 3), Carol mentioned these. For reference, to take a peek at installed objects, click Tools, Internet Options. Under General Tab, click Settings (next to Delete Files / Cookies). At the bottom, the third button should be View Objects. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Monday, June 7, 2004 at 12:04 am Posted by geehawgirl (47 messages posted) Trish just posted an "IE launching repeatedly" message - it's the same problem as mine. I did go into settings and view objects. There were a number of them that were damaged and unknown and I removed them all to no avail. (here comes another window.........) I have tried running Spybot but it hangs at 9469, even when I disable the C2.lops. Been working on this for almost a week now. I really don't understand what sort of person does this crappy stuff. Maggots - they're maggots. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Monday, June 7, 2004 at 2:53 pm Posted by Ms. Eagle (33507 messages posted) Firstly, that hang at C2Lop when running SpyBot, is an old bug, in the previous version 1.2, that was fixed long ago. There was an update put out that covered. Spybot 1.3 was recently made available for download, you obviously don't have it. If there are "thousands" of those ".tmp files that come up, it's likely that you've never cleaned them out. Don't delete them all at once then. That's your deal, so I don't know what to say other than that. If you've cleared out all your TIF, there should be a lot less *.tmp files. Oh, my.....read up on SpywareBlaster, and what you're supposed to do after installing it. Download updates, enable protection, like I stated in my previous post. You won't SEE it do anything as far as protecting your system. READ [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Monday, June 7, 2004 at 10:51 pm Posted by geehawgirl (47 messages posted) I will read - I'm just sort of fatigued and feeling out of my league with all this stuff. A week ago I didn't know what a *.tmp file was, it's all a vertical climb, just want my life to return to normal and have some friendly piece of software fix something that I didn't invite onto my system in the first place, trying not to feel so invaded and put upon every time I hear my computer clicking and loading up six more unwanted browser windows. I do appreciate your help, though. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Monday, June 7, 2004 at 11:16 pm Posted by Ms. Eagle (33507 messages posted) I know, it's probably overwhelming. I apologize for being short with you. It's difficult to help, when people are frantic about something. How about taking it a step at a time. Where are you with deleting those *.tmp files? That's too many to try to delete all at once, even though they're very small usually. Have you emptied your temporary internet files and Windows\temp folder? You could post a HijackThis log first, if you still can't run SpyBot. If you could get rid of the junk files, then uninstall SpyBot 1.2. Reboot. The directory will be left behind with a few subfolders. When installing the new one, you'll get a message that 'the directory already exists, do you want to install there anyway'. Say YES. When installing it, you don't need to choose the extra options it asks about, or let it back up your registry. Download SpybotS&D 1.3: Safer-Networking.org or from Major Geeks: SpyBot-Search & Destroy 1.3 Close running programs then install. Reboot. Load it and check for and download updates. Close your browser and run the "Default mode" scan. 'Check All', and fix everything SpyBot-S&D labels in RED. Reboot. Download 'Hijack This' Unzip 'HT' into any folder but a temp folder. It creates backups. Close all browser windows. Run the Scan. Most of the entries listed are necessary or required entries. Don't fix anything, until you know which items to fix. HijackThisTutorial After the scan is finished, the Scan button will turn into Save Log. Press that and paste the contents here. Before posting your message, choose this Option: Check this box to preserve your spacing, etc.... [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 11:24 am Posted by geehawgirl (47 messages posted) I already have the Spybot 1.3 and it consistently hangs at 9469/14284. I have deleted my TIF files but when I check the "Delete all offline content" box it hangs and I can't come back from that. When I do the *.tmp file search I get the message that I have to refine my search and it hangs when I even move my cursor over to the "File" droplist thing. I have read the SpywareBlaster info! I have installed and run Hijack This and the results follow. I am mystified but grateful for your help. I know it's annoying when people don't know much but computers are complicated though they appear innocuous enough - it's hard to know what you need to know and what you should be doing to maintain yourself so you don't get caught in a situation like this. Logfile of HijackThis v1.97.7 Scan saved at 11:20:50 AM, on 6/8/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE C:\PROGRAM FILES\MCAFEE\PGP\IKESERVICE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\BITWARE\CBWATTN.EXE C:\PROGRAM FILES\BITWARE\CBWHOST.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\COMPAQ\INTERNET\CISRVR.EXE C:\WINDOWS\SYSTEM\SXGDSENU.EXE C:\PROGRAM FILES\SONIC IMPACT A3D\VRTXCTRL.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE C:\WINDOWS\SYSTEM\CQSCP2PS.EXE C:\WINDOWS\SYSTEM\SHPC32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\CQSCP2PS.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\COMDLGEX.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\STARTM.EXE C:\WINDOWS\SYSTEM\HPZTSB03.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE C:\WINDOWS\MSCMGR.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL O2 - BHO: (no name) - {bcfad060-b146-11d7-8ce3-0008c713a59e} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINDOWS\SYSTEM\ZEDD4.DLL O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: (no name) - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\McAfee\VirusScan\VSECOMR.EXE O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3 O4 - HKLM\..\Run: [SonicA3DControl] C:\PROGRA~1\SONICI~1\VrtxCtrl.exe O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe" O4 - HKLM\..\Run: [cqscp2ps.exe] C:\WINDOWS\SYSTEM\cqscp2ps.exe O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe O4 - HKLM\..\Run: [SHPC32] shpc32.exe O4 - HKLM\..\Run: [CQSCP2PSERVER] CQSCP2PS.EXE O4 - HKLM\..\Run: [Oil Change] C:\PROGRA~1\MCAFEE\OILCHA~1\OCTray32.exe Start O4 - HKLM\..\Run: [NB Common Dialog Enhancements] C:\PROGRA~1\MCAFEE\MCAFEE~1\comdlgex.exe O4 - HKLM\..\Run: [Start Menu Enhancements] C:\PROGRA~1\MCAFEE\MCAFEE~1\startm.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Icon Animation] C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE /hook O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe O4 - HKLM\..\RunServices: [HC Reminder] hc.exe O4 - HKLM\..\RunServices: [CBWHost] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE O4 - HKLM\..\RunServices: [CBWAttn] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe O4 - HKLM\..\RunServices: [IKEService95] C:\Program Files\McAfee\PGP\IKEService.exe O4 - HKLM\..\RunServices: [McAfee Image] C:\PROGRA~1\MCAFEE\MCAFEE~1\image32.exe /auto O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Print Favorites (HKLM) O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: SideStep (HKLM) O9 - Extra button: WeatherBug (HKCU) O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 1:08 pm Posted by Dan (1278 messages posted) Hi GG66, just wanted to get in on this thread so I would get the results of the read on your HiJackThis Scan Log whenever one of the posters that feel they are qualified checks it out for you--I have little time reading these logs, but notice a lot of ".exe " and other lines that need checked whether they are good or bad entries, and offer a few suggestions--: 1. You said that you already have SpywareBlaster installed--well, that has a data base of undesireable ActiveX and hostile Cookies, and since SpywareBlaster will keep whatever is in the data base from running even if they are on your system, you could be masking some of the problems. 2. Instead of running HijackThis from the desktop, create a folder of its own other then a "Temp" folder as it creates backups as I understand it... 3. Prior to posting a log check the "check this box to preserve your spacing"--facilitates reading of the log--wraps each line entry for easier reading. On Tuesday, June 8, 2004 at 11:24 am, gammagirl66 wrote: >I already have the Spybot 1.3 and it consistently hangs at 9469/14284. I have deleted >my TIF files but when I check the "Delete all offline content" box it hangs and I >can't come back from that. When I do the *.tmp file search I get the message that >I have to refine my search and it hangs when I even move my cursor over to the "File" >droplist thing. I have read the SpywareBlaster info! I have installed and run Hijack >This and the results follow. I am mystified but grateful for your help. I know >it's annoying when people don't know much but computers are complicated though they >appear innocuous enough - it's hard to know what you need to know and what you should >be doing to maintain yourself so you don't get caught in a situation like this. > >Logfile of HijackThis v1.97.7 >Scan saved at 11:20:50 AM, on 6/8/04 >Platform: Windows 98 Gold (Win9x 4.10.1998) >MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) > >Running processes: >C:\WINDOWS\SYSTEM\KERNEL32.DLL >C:\WINDOWS\SYSTEM\MSGSRV32.EXE >C:\WINDOWS\SYSTEM\mmtask.tsk >C:\WINDOWS\SYSTEM\MPREXE.EXE >C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE >C:\PROGRAM FILES\MCAFEE\PGP\IKESERVICE.EXE >C:\WINDOWS\SYSTEM\MSTASK.EXE >C:\PROGRAM FILES\BITWARE\CBWATTN.EXE >C:\PROGRAM FILES\BITWARE\CBWHOST.EXE >C:\WINDOWS\SYSTEM\TAPISRV.EXE >C:\WINDOWS\TASKMON.EXE >C:\WINDOWS\SYSTEM\SYSTRAY.EXE >C:\WINDOWS\SYSTEM\ATICWD32.EXE >C:\WINDOWS\SYSTEM\ATITASK.EXE >C:\MOUSE\SYSTEM\EM_EXEC.EXE >C:\COMPAQ\INTERNET\CISRVR.EXE >C:\WINDOWS\SYSTEM\SXGDSENU.EXE >C:\PROGRAM FILES\SONIC IMPACT A3D\VRTXCTRL.EXE >C:\WINDOWS\SYSTEM\DDHELP.EXE >C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE >C:\WINDOWS\SYSTEM\CQSCP2PS.EXE >C:\WINDOWS\SYSTEM\SHPC32.EXE >C:\WINDOWS\SYSTEM\LEXBCES.EXE >C:\WINDOWS\SYSTEM\CQSCP2PS.EXE >C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\COMDLGEX.EXE >C:\WINDOWS\SYSTEM\RPCSS.EXE >C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\STARTM.EXE >C:\WINDOWS\SYSTEM\HPZTSB03.EXE >C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE >C:\WINDOWS\SYSTEM\SPOOL32.EXE >C:\WINDOWS\LOADQM.EXE >C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE >C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE >C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE >C:\WINDOWS\MSCMGR.EXE >C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE >C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE >C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE >C:\WINDOWS\EXPLORER.EXE >C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE > >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = >R3 - Default URLSearchHook is missing >O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED >PROGRAM FILES\SBCIE026.DLL >O2 - BHO: (no name) - {bcfad060-b146-11d7-8ce3-0008c713a59e} - (no file) >O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT >5.0\READER\ACTIVEX\ACROIEHELPER.OCX >O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll >O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINDOWS\SYSTEM\ZEDD4.DLL >O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL >(file missing) >O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot >- Search & Destroy\SDHelper.dll >O3 - Toolbar: (no name) - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - (no file) >O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll >O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX >O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun >O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe >O4 - HKLM\..\Run: [SystemTray] SysTray.Exe >O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme >O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe >O4 - HKLM\..\Run: [AtiKey] Atitask.exe >O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe >O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe >/NORESTART >O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN >O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE >O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\McAfee\VirusScan\VSECOMR.EXE >O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe >O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3 >O4 - HKLM\..\Run: [SonicA3DControl] C:\PROGRA~1\SONICI~1\VrtxCtrl.exe >O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe >O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe" >O4 - HKLM\..\Run: [cqscp2ps.exe] C:\WINDOWS\SYSTEM\cqscp2ps.exe >O4 - HKLM\..\Run: [LexStart] Lexstart.exe >O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe >O4 - HKLM\..\Run: [SHPC32] shpc32.exe >O4 - HKLM\..\Run: [CQSCP2PSERVER] CQSCP2PS.EXE >O4 - HKLM\..\Run: [Oil Change] C:\PROGRA~1\MCAFEE\OILCHA~1\OCTray32.exe Start >O4 - HKLM\..\Run: [NB Common Dialog Enhancements] C:\PROGRA~1\MCAFEE\MCAFEE~1\comdlgex.exe >O4 - HKLM\..\Run: [Start Menu Enhancements] C:\PROGRA~1\MCAFEE\MCAFEE~1\startm.exe >O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe >O4 - HKLM\..\Run: [LoadQM] loadqm.exe >O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" >-osboot >O4 - HKLM\..\Run: [Icon Animation] C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE >/hook >O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe >O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch >O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE >O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe >O4 - HKLM\..\RunServices: [HC Reminder] hc.exe >O4 - HKLM\..\RunServices: [CBWHost] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE >O4 - HKLM\..\RunServices: [CBWAttn] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE >O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe >O4 - HKLM\..\RunServices: [IKEService95] C:\Program Files\McAfee\PGP\IKEService.exe >O4 - HKLM\..\RunServices: [McAfee Image] C:\PROGRA~1\MCAFEE\MCAFEE~1\image32.exe >/auto >O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe >O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE >O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet >O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 >O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" >-turbo >O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE >O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE >O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html >O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html >O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html >O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html >O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html >O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html >O9 - Extra button: Print Favorites (HKLM) >O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM) >O9 - Extra button: Real.com (HKLM) >O9 - Extra button: SideStep (HKLM) >O9 - Extra button: WeatherBug (HKCU) >O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll >O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll >O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll >O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab >O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab >O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab >O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab >O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? >O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab > [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 2:14 pm Posted by Ms. Eagle (33507 messages posted) This may work out, but try running Spybot again after fixing these and following the rest of the instructions. I don't know where it's hanging at, just by those numbers you posted. First move HIJACKTHIS into a folder, any folder but a temp folder. It creates backups and places them in the same location as Hijackthis is in. Next, uninstall Wild Tangent in Add/Remove programs. Reboot. Run HijackThis. Select Fix checked. Reboot. Delete the items I mentioned below. C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - :\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL O2 - BHO: (no name) - {bcfad060-b146-11d7-8ce3-0008c713a59e} - (no file) O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINDOWS\SYSTEM\ZEDD4.DLL O2 - BHO: (no name) - {EFF80427-F837-4B74-8834-BAF18E0553FD} - C:\PROGRA~1\SYSTEM\MISC\MBH19.DLL (file missing) O3 - Toolbar: (no name) - {5E92F538-B50B-46c5-9C5F-C6EECED3F6C6} - (no file) O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE O4 - HKLM\..\RunServices: [HC Reminder] hc.exe O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\TVM.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab MiniBug is spyware app installed with Weatherbug spyware app. Not needed-->> O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? Delete the entire TV Media folder: C:\TV MEDIA\TVM.EXE Delete these files->> C:\WINDOWS\SYSTEM\ZEDD4.DLL C:\WINDOWS\SYSTEM\WINST.EXE Wild Tangent folder/files. Look for a WT folder containing these files, delete if there->> C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch Download this IEFIX.reg file to your Desktop. Double-click on it and answer Yes, to merge into your registry. It will restore all the default Search settings for IE. SpywareInfo.com-IEFIX.reg [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 6:26 pm Posted by geehawgirl (47 messages posted) Good Golly!!! Okay - an update: 1 - When I tried to delete C:\WINDOWS\SYSTEM\RPCSS.EXE I got a message saying "Cannot delete - specified file being used by Windows". 2 - Could not find C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE 3 - I did find a bunch of WT folders but since C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch was not among them I didn't delete anything. 4 - Could not find C:\TV MEDIA\TVM.EXE 5 - Could not find O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch again 6 - About 30 new backup folders requesting me to specify a program to run them appeared on my desktop after I ran HijackThis and deleted checked items. 7 - Spybot still hangs at 9469/14284 8 - IE still launches unwanted windows after rebooting, at certain seemingly timed intervals and sometimes when I'm switching between screens. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 7:01 pm Posted by Ms. Eagle (33507 messages posted) OK, those files and folders are unimportant at the moment. You've got a trojan loading somewhere.... If you uninstalled Wild Tangent, that may be why that 04 entry didn't show again. Leave that folder for now. "WT" is installed with AIM and other AOL apps. You weren't s'posed to "delete" RPCSS, just stop the running process. That may not work, until other things are taken care of. Just forget that. It's a Windows application that's only needed, if your PC is on a network. It's Remote Procedure Call Service. For one, backdoor trojans will launch that. What kind of backup folders are you referring to? 30? It would help to have some details on those. There's also an option in HijackThis to produce a StartupList log. Run HijackThis again and post a new log. In addition, press Config... > Misc Tools > Generate StartupList log. That'll show all the locations, it's loading from. Post both logs here in a post, seperating them. After posting those, run an online virus scan ASAP, if you can and get back to me. Panda Active Scan Bitdefender [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 9:32 pm Posted by geehawgirl (47 messages posted) I'm Holly, by the way. Here are the files you asked me to post. The items that showed up on my desktop are backups of everything I deleted from the HijackThis scan list you sent me to take care of. The RPCSS was on a list that you had prefaced with: "Delete the items I mentioned below" which is why I did so - would that have anything to do with a "fatal error" blue screen I got while shutting down? *sigh* I'm not on a network anyway (or I'd have had the IT guy in, wouldn't I?!) I'm off to do the Panda Active Scan and Bitdefender. Can't imagine why you're willing to put all this time into me, but I sure am glad for it. Some people volunteer at the senior citizen center, you do this - thanks. Logfile of HijackThis v1.97.7 Scan saved at 9:27:07 PM, on 6/8/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE C:\PROGRAM FILES\MCAFEE\PGP\IKESERVICE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\BITWARE\CBWATTN.EXE C:\PROGRAM FILES\BITWARE\CBWHOST.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\COMPAQ\INTERNET\CISRVR.EXE C:\WINDOWS\SYSTEM\SXGDSENU.EXE C:\PROGRAM FILES\SONIC IMPACT A3D\VRTXCTRL.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE C:\WINDOWS\SYSTEM\CQSCP2PS.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SHPC32.EXE C:\WINDOWS\SYSTEM\CQSCP2PS.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\COMDLGEX.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\STARTM.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\HPZTSB03.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE C:\WINDOWS\MSCMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE C:\PROGRAM FILES\MCAFEE\OIL CHANGE\SCHEDAPP.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE C:\WINDOWS\SYSTEM\HPZSTATX.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=1c99&s=search&i=enu O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\McAfee\VirusScan\VSECOMR.EXE O4 - HKLM\..\Run: [SXGDSENU] SXGDSENU.exe O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3 O4 - HKLM\..\Run: [SonicA3DControl] C:\PROGRA~1\SONICI~1\VrtxCtrl.exe O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe" O4 - HKLM\..\Run: [cqscp2ps.exe] C:\WINDOWS\SYSTEM\cqscp2ps.exe O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe O4 - HKLM\..\Run: [SHPC32] shpc32.exe O4 - HKLM\..\Run: [CQSCP2PSERVER] CQSCP2PS.EXE O4 - HKLM\..\Run: [Oil Change] C:\PROGRA~1\MCAFEE\OILCHA~1\OCTray32.exe Start O4 - HKLM\..\Run: [NB Common Dialog Enhancements] C:\PROGRA~1\MCAFEE\MCAFEE~1\comdlgex.exe O4 - HKLM\..\Run: [Start Menu Enhancements] C:\PROGRA~1\MCAFEE\MCAFEE~1\startm.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb03.exe O4 - HKLM\..\Run: [Icon Animation] C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE /hook O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe O4 - HKLM\..\RunServices: [CBWHost] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE O4 - HKLM\..\RunServices: [CBWAttn] C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE O4 - HKLM\..\RunServices: [EncMonitor] c:\compaq\access\Encompass\Monitor.exe O4 - HKLM\..\RunServices: [IKEService95] C:\Program Files\McAfee\PGP\IKEService.exe O4 - HKLM\..\RunServices: [McAfee Image] C:\PROGRA~1\MCAFEE\MCAFEE~1\image32.exe /auto O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: Print Favorites (HKLM) O9 - Extra 'Tools' menuitem: Print &Favorites... (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: WeatherBug (HKCU) O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab Startup List: StartupList report, 6/8/04, 9:28:12 PM StartupList version: 1.52 Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE Detected: Windows 98 Gold (Win9x 4.10.1998) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\COMPAQ\ACCESS\ENCOMPASS\MONITOR.EXE C:\PROGRAM FILES\MCAFEE\PGP\IKESERVICE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\BITWARE\CBWATTN.EXE C:\PROGRAM FILES\BITWARE\CBWHOST.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATICWD32.EXE C:\WINDOWS\SYSTEM\ATITASK.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\COMPAQ\INTERNET\CISRVR.EXE C:\WINDOWS\SYSTEM\SXGDSENU.EXE C:\PROGRAM FILES\SONIC IMPACT A3D\VRTXCTRL.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE C:\WINDOWS\SYSTEM\CQSCP2PS.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SHPC32.EXE C:\WINDOWS\SYSTEM\CQSCP2PS.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\COMDLGEX.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\STARTM.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\HPZTSB03.EXE C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE C:\WINDOWS\MSCMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE C:\PROGRAM FILES\MCAFEE\OIL CHANGE\SCHEDAPP.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE C:\WINDOWS\SYSTEM\HPZSTATX.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = c:\windows\scanregw.exe /autorun SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme AtiCwd32 = Aticwd32.exe AtiKey = Atitask.exe EM_EXEC = c:\mouse\system\em_exec.exe EACLEAN = C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe /NORESTART Compaq Internet Setup = C:\Compaq\Internet\InetWizard.exe /RUN CISrvr Program = C:\COMPAQ\INTERNET\CISRVR.EXE VsecomrEXE = C:\Program Files\McAfee\VirusScan\VSECOMR.EXE SXGDSENU = SXGDSENU.exe VortexTray = C:\WINDOWS\asp4setp.exe 3 SonicA3DControl = C:\PROGRA~1\SONICI~1\VrtxCtrl.exe CPQEASYACC = "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe" cqscp2ps.exe = C:\WINDOWS\SYSTEM\cqscp2ps.exe LexStart = Lexstart.exe CompaqSysTray = cpqpscp.exe SHPC32 = shpc32.exe CQSCP2PSERVER = CQSCP2PS.EXE Oil Change = C:\PROGRA~1\MCAFEE\OILCHA~1\OCTray32.exe Start NB Common Dialog Enhancements = C:\PROGRA~1\MCAFEE\MCAFEE~1\comdlgex.exe Start Menu Enhancements = C:\PROGRA~1\MCAFEE\MCAFEE~1\startm.exe HPDJ Taskbar Utility = C:\WINDOWS\SYSTEM\hpztsb03.exe Icon Animation = C:\PROGRAM FILES\MCAFEE\MCAFEE UTILITIES\HDE.EXE /hook MSN Manager = C:\WINDOWS\mscmgr.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices CBWHost = C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWHOST.EXE CBWAttn = C:\PROGRA~1\BITWARE\CBWEXEC.EXE /Run C:\PROGRA~1\BITWARE\CBWATTN.EXE ConfigServices = EncMonitor = c:\compaq\access\Encompass\Monitor.exe IKEService95 = C:\Program Files\McAfee\PGP\IKEService.exe McAfee Image = C:\PROGRA~1\MCAFEE\MCAFEE~1\image32.exe /auto SchedulingAgent = mstask.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Yahoo! Pager = C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet Weather = C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 Mozilla Quick Launch = "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 8/6/2004, 16:21:44) [rename] NUL=C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET BLASTER=A220 I5 D3 T4 LH C:\WINDOWS\ASP4DOS.COM C:\PROGRA~1\MCAFEE\VIRUSS~1\SCANPM.EXE C:\ /NOEXPIRE IF ERRORLEVEL 1 PAUSE \CPQS\TOOLS\DNY E: IF ERRORLEVEL 1 GOTO SKIPE IF EXIST E:\MFG00.BAT CALL E:\MFG00.BAT IF EXIST E:\MFG00.BAT DEL E:\MFG00.BAT IF EXIST E:\CONFIG.BAT E:\CONFIG.BAT :SKIPE \CPQS\TOOLS\DNY D: IF ERRORLEVEL 1 GOTO SKIPED IF EXIST D:\MFG00.BAT CALL D:\MFG00.BAT IF EXIST D:\MFG00.BAT DEL D:\MFG00.BAT IF EXIST D:\CONFIG.BAT D:\CONFIG.BAT :SKIPED :XIT IF EXIST D:\PATCHES\PATCHES.BAT CALL D:\PATCHES\PATCHES.BAT IF EXIST D:\SEHCTAP\NUL REN D:\SEHCTAP PATCHES IF EXIST \PIPOST.BAT CALL \PIPOST.BAT IF EXIST \PIPOST.BAT DEL \PIPOST.BAT IF EXIST C:\CPQS\BACKWEB\BWSETUP.BAT CALL C:\CPQS\BACKWEB\BWSETUP.BAT SET PATH=C:\PROGRA~1\ASYMET~1\DVP50 SET CLASSPATH=C:\Program Files\HEAT\navbar;%CLASSPATH% SET PATH=%PATH%;C:\PROGRA~1\MCAFEE\PGP SET PATH=%PATH%;C:\PROGRA~1\MCAFEE\MCAFEE~1 -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job Maintenance-Defragment programs.job Maintenance-ScanDisk.job Maintenance-Disk cleanup.job {30C834C0-5F4B-11D4-8CE2-B9A6F7EB2C26}_Default.job {41B37C8A-7D29-11D4-8CE2-0008C713A59E}_Default.job -------------------------------------------------- Enumerating Download Program Files: [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL -------------------------------------------------- End of report, 7,380 bytes Report generated in 0.126 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Tuesday, June 8, 2004 at 11:43 pm Posted by Ms. Eagle (33507 messages posted) Holly, that's why I said to move HijackThis into a "folder", because it creates backups! Now, they're everywhere. :) Just create a new folder on your desktop and drag all those backups into it. Cut and Paste HijackThis into the folder, so it doesn't turn into a shortcut. Your Autoexec.bat file has a lot of entries in it. Some look strange to me, and it doesn't need to load at startup. You can uncheck it in MSCONFIG. Go to Start - Run - type: MSCONFIG hit Enter or OK. Uncheck 'Process Autoexec.bat file' and Config.sys file, both. Apply. The next time you reboot, the change will be in effect. In HijackThis, it's up to you, but all those R1 and R0 entries were put there by Compaq. You can fix them, if you want to, and reset IE's default search settings by downloading the IEFix.REG file. These R1 and R0 URL's: http://search.presario.net If so, select all those and these two. Have them fixed. Reboot. C:\WINDOWS\SYSTEM\HPZSTATX.EXE O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\mscmgr.exe Delete files in bold: C:\WINDOWS\mscmgr.exe This one is installed with HP printers and can be problematic. If you delete it, it won't load when you use your printer: C:\WINDOWS\SYSTEM\HPZSTATX.EXE Download this .reg file to your Desktop. Double-click on it and answer Yes, to merge into your registry. It will restore all the default Search settings for IE. SpywareInfo-IEFIX.reg "I'm not on a network anyway (or I'd have had the IT guy in, wouldn't I?!)" No, many households have "home" networks with two or more PC's on the same connection. I didn't include RPCSS to be deleted. Although, if you do, that's alright, too. That was listed at the top under Running Processes. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Wednesday, June 9, 2004 at 12:53 am Posted by geehawgirl (47 messages posted) Will do all that tomorrow - am in Panda-hell now - it's been scanning for the last three hours because I had it check everything - it's already scanned 75,000 files and I just want to go to bed. It's going through every microbe of my computer - all of those *.tmp files I couldn't delete, all the system snapshots I made (which seems to be the whole configuration times two or maybe even three). I can't possibly stop it because then it will all have been for nought but I am mightily fed up right now. What I know about computers you could fit on the head of a pin and still have room for a Peruvian family of six. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Wednesday, June 9, 2004 at 1:09 am Posted by Ms. Eagle (33507 messages posted) Oh, my word! All those *.tmp files are still there....I had no idea. Sorry, about that. =( There's got to be another way to get rid of those. I've never came across this before. Are you sure it's running?? lol [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Wednesday, June 9, 2004 at 2:00 am Posted by Ms. Eagle (33507 messages posted) Holly, you're probably going to need to boot to the command prompt (DOS) to delete all those temp files and temporary internet files. I'll give you the instructions, when you're ready. Plus, if you did need to stop the scan, it wouldn't need to download all those files and install again. That would already be installed, so it doesn't take as long the next time. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Wednesday, June 9, 2004 at 8:58 am Posted by geehawgirl (47 messages posted) Hey!!! Panda got the Trojan! My computer is blissfully quiet (no clicking trying to load browser windows). Shall I still run Bitdefender and do all that other stuff? I await your instructions on DOSing the *.tmp files. It was set to accumulate something like 235MB (I know, I know) before - now that it's set for 8 will this prevent the buildup? Off to work now. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Wednesday, June 9, 2004 at 3:44 pm Posted by Ms. Eagle (33507 messages posted) That's great! You don't need to run another scan, at least until all those temp files are gone. Go ahead and do these things too, if that's what you were asking: Annoyances.org #1086763417 Choose Shutdown on the Start menu. Restart in MS DOS mode. At the C:\>prompt type the following, pressing Enter after each command and Y if you're prompted to confirm deletion. The ~ is next to the 1 above the little ` mark. Note the spaces and direction of the /. smartdrv cd:\windows deltree history deltree tempor~1 deltree temp deltree c:\windows\locals~1\tempor~1 Type: WIN or press CTRL_ALT_DEL keys to go back into Windows. Caution: Deltree is a very powerful command. Anything typed after it, will be permanently deleted. I just want you to know, and DOS is picky about spelling, spaces and direction of slashes. CD means current directory. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Wednesday, June 9, 2004 at 11:25 pm Posted by geehawgirl (47 messages posted) ...Hmm...deltree tempor~1 took 40 minutes to run but it finally cleared for the next prompt. Deltree temp ran for about 4 1/2 hours before I finally contol/alt/deleted. When I ran a search for *.tmp files I got the same message as before - 10,000 items found, narrow your search. I figured it was taking an ungodly amount of time to run because the files seemingly had NEVER been winnowed. I was very careful to type the commands in properly, what do you think the problem is now? (p.s. I do know ~ is called a tilda, but I don't know why or what it does) [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Thursday, June 10, 2004 at 11:38 am Posted by Ms. Eagle (33507 messages posted) I've never heard of anything like this. I honestly have no idea what else to suggest. Nothing stops DOS commands....usually. If it can't be done at the command prompt, I just don't know. Try clearing out the Windows\temp file and go into Internet Options again, clear TIF and choose offline content, see what happens. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Thursday, June 10, 2004 at 9:48 pm Posted by geehawgirl (47 messages posted) Hiya, howareya...I ran BitDefender and was gratified to see about 20 "trojan.downloader swizzor" files go up in a puff of smoke. Re: the *.tmp files - should I repeat the same steps you gave me to do in DOS? My computer is running like a dream these days, I imagine it'd be even better if I could unload those pesky temp files. Is 250MB in temp files a lot to have wasted and trapped on your computer or should I just step away from the car since my trojan is routed? [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 11, 2004 at 12:35 pm Posted by Ms. Eagle (33507 messages posted) Your system was really infected with junk. Yes, 250 MB in useless temp files, is too much. Also, if you've set the size down without getting those cleared out first, who knows, that may cause problems. Besides, once the cache is too full you won't have room left to store those. There's something wrong, if you can't clear those out. It's possible with all these problems, that IE has gotten damaged, or the install is corrupt. To repair Internet Explorer: Go to Start - Run - in the Open box, type: msinfo32 - click OK. From Tools the menu - choose IE Repair Tool -- Repair IE. If you get a message saying it can't be repaired, you'll need to reinstall it by running the IESetup.exe install file. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 11, 2004 at 12:50 pm Posted by Ms. Eagle (33507 messages posted) Also, you haven't answered my question, have you tried clearing out TIF in Internet Options again? Under General tab, choose Delete temporary internet files - choose 'delete all Offline content'. Set the size way up again first. Apply. Then try clearing them. You can set it back down after they're cleared out. Close your browser first. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 11, 2004 at 10:23 pm Posted by geehawgirl (47 messages posted) Yes, I have tried to delete my temp files again without success - but I haven't tried to do it in DOS mode since the first time, that's what I was asking - if I should repeat the directions you gave me last time for DOS. When I go into Internet Options (and yes, I have set the storage for way high again) and delete TIF files I get an hourglass for a second like it's doing something but when I do a file search afterward I get the same reply - 10000 files found, narrow your search --- they're still in there. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Friday, June 11, 2004 at 11:05 pm Posted by Ms. Eagle (33507 messages posted) I don't have much hope, it will work at the command prompt now either. You can try. OK, in case we're misunderstanding each other....it will take quite a bit of time, when you go to clear TIF in Internet Options. All those files are being selected (even though you don't see that) then "Windows" clears them out. You can check in the TIF folder by choosing View Files (General tab). Is it possible those are already cleared out? Don't bother doing a file search again. All those *.TMP files aren't necessarily in temporary internet files folder. You haven't said, if you've checked in the Windows\temp folder or not or emptied that out? Once you click to also delete all offline content, just walk away from it for awhile and give it time. Then once the hour glass stops, it's done. I just want to make sure, we're understanding each other here. Arrghhh this is crazy.....lol. That's why it would be good to try running the IE repair tool. It does the work for you, all you need to do is get it started. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Saturday, June 12, 2004 at 12:24 am Posted by geehawgirl (47 messages posted) The IE was damaged and could not repair so I reinstalled and repaired. Then I chose Delete TIF files both with and without the Delete all offline files checked. It took no time at all with the hourglass icon running so I don't know if it really did it or not or how to check to see if it's done. When I go into View Files it shows about 100 cookie files in there but not much else besides some Netscape stuff that showed up after I reinstalled IE. [Reply or follow-up to this message] re: Evil "lexplore" virus hijacked me Saturday, June 12, 2004 at 12:57 am Posted by Ms. Eagle (33507 messages posted) Yep, you got them or they were already cleared out. Cookies "are" left behind. Those aren't cleared out, when you choose to delete your TIF, even though they show in there. The Cookies folder is in Windows, C:\Windows\Cookies. You can delete the ones you don't need for logon, such as the Annoyance's Cookie. You can set the size way down as low as 5 MB. Those files are very small and should be cleared out regularly. Do you use Netscape as your main browser? It has it's own cache to clear out, I'm sure you know that. Have you checked in the other temp folders? You can check either by opening Windows Explorer or double click My Computer icon on the desktop - double click C drive. Scroll down to the Windows folder. The Temp folder, Cookies, and temp internet files folder are all there. You're probably all set, since your IE is repaired. Let me know how it goes. I hope, you've got all the baddies out of there now! I was surprised another scan found more trojans. [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows 98 Discussion Forum