0

Greetings,
I just want to go ahead and say thank you in advance to everybody on these forums. I've been reading and trying to apply all the useful information here to fix my problems myself but I just cant do it alone.

Heres my deal:
This computer must have been abused as a child :lol: and when I got use of it here for my summer job it was almost entirely unprotected - no anti spyware or adware and its KasperskyAV was not updated or active. I've fixed many of the standard problems with Adaware and SpybotSnD that were really bogging this thing down when I got it.

Now my problems include a message when opening many web pages that reads "KAV Script Checker" - Cannot load library for language 'VBScript' Path:'C\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPTBLOCKING\SCRAUTH.DLL'

I also get a steady stream of pop ups even when IE is not connected that include among others www.loadingwebsite.com's, hotbar.net's, and doubleclick.net's. I run IE with a google toolbar that apparently blocks popups -its blocked about 4 popups in the 6 weeks that I've used it. :mad:

Perhaps my most annoying problem is a shaky IE that closes with a IE illegal operation message. This is especially frequent when I run any type of search engine on the web.

SpybotSnD, Adaware 6.0, and CWShredder (each with latest updates) - all check out clean.

I like solving problems on my own but I just can't do it.

Heres my HJT log file, run with no app's open.
-------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:10:07 AM, on 07/21/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edgarheape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 208.128.224.2,208.228.231.90
---------------------------------------------------------------------------

Thanks in advance!

2
Contributors
11
Replies
12
Views
12 Years
Discussion Span
Last Post by swatkat
0

Hi,

Download CleanUp! and install it. Do not run it now.


The error you are getting ( from Kaspersky ) is due to the incorrect uninstallation of Symantec Norton AntiVirus. You can download the unistaller from Symantec to completely remove it.

Follow these steps:-
1] Download the Rnav2003 utility to Desktop.

2] Double-click the Rnav2003.exe icon on the Desktop to launch the application.

3] If it asks you to use "Add/Remove Programs" instead of the Rnav utility, click "No" to continue using Rnav.

4] Choose the Norton product you may have installed earlier and click "Yes" to uninstall.

5] Click "Yes" to restart the PC after the unistallation.

More info from Symantec and Kaspersky

Next, boot into safe mode.

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Delete this folder ( and also the files inside it ) :-
C:\PROGRAM FILES\TOOLBAR

Run CleanUp!, click "Options" button, move the "Quick Setup" slider to "Thorough CleanUp!" and click "Yes" for the warning message and exit from Options. Click "CleanUp!" to start cleaning.
After cleaning, click "Close", and choose "Yes" to restart the PC.


Restart to Normal mode, Run HijackThis again, click Do a System scan and save log, and post the fresh log.

0

Thanks for replying swatkat

Well, I ran Rnav2003 - which I've already done to try and fix this - again. And I'm still getting the ("KAV Script Checker" - Cannot load library for language 'VBScript' Path:'C\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SCRIPTBLOCKING\SCRAUTH.DLL'VBScript) with the same frequency.

Ran Cleanup! in Safe Mode and removed the items on HJT like you suggested. My IE still gives me an illegal operation message anytime I run a search engine.

I'm also still getting the same popups. :mad:

Anyhow, heres my HJT log
--------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:04:48 AM, on 07/22/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edgarheape.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 208.128.224.2,208.228.231.90
---------------------------------------------------------------------------

0

Open NotePad, and copy the contents of the below "Code" box:-

regedit /e Info.txt "HKEY_CLASSES_ROOT\JavaScript"

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Double-Click on the file Test.bat, a small DOS type window should open and close immediately.
After this, there would be a file called Info.txt in the same location where Test.bat was present. Open the Info.txt and post it's contents here.

Open Internet Explorer, go to Tools Menu > Options. Here click "Advanced" tab, and uncheck the option "Enable third party browser extension". After this, perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.

Run HijackThis, click Do a System scan and save log, and post the fresh log along with the Panda ActiveScan log.

0

Well heres my info.txt from the test.bat
-----------------------------------------------
REGEDIT4

[HKEY_CLASSES_ROOT\JavaScript]

[HKEY_CLASSES_ROOT\JavaScript\OLEScript]

[HKEY_CLASSES_ROOT\JavaScript\CLSID]
@="{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"
----------------------------------------------------

I unchecked "enable third party browser extension" in Internet Tools

Panda Activescan, however, would not work - I think because of my "VBscript error" message. I get to the download screen and get 3 of these messages in a row and then the downloading activescan screen runs on and on, even though this thing has a great internet connection. It simply wasnt finishing the download screen.

Anyhow heres my HJT log.
--------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:51:28 AM, on 07/25/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edgarheape.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 208.128.224.2,208.228.231.90
-------------------------------------------------------

Thanks!

0

Hi,
Download Sysclean Pacakge, create a folder named Sysclean on Desktop, and put the downloaded file to that folder. Next download the pattern file for Windows OS (pattern file will have a name like lpt731.zip ) and extract the contents of the ZIP file to the same Sysclean folder.

Next, download SpywareBlaster and install it. Do not run it now.


Boot in SAFE Mode.

Next, double-click on the sysclean.com file, and after few seconds, the Sysclean window appears. Here make sure that Automatically clean or delete infected files option is selected. Then click "Scan". After the scan is complete it gives a log, save the log file.

Open Internet Explorer, go to Tools Menu, click "Advanced" and click "Progams" tab. Here click "Reset Web Settings" and click "Apply" and "OK". Exit from Internet Explorer.

Run SpywareBlaster and click "Enable All Protection" and exit from it.


Reboot to normal mode, run HijackThis again, and post a fresh log along with Sysclean log.

0

Also, open NotePad, and copy the contents of the below "Quote" box:-

regedit /e Info.txt "HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Double-Click on the file Test.bat, a small DOS type window should open and close immediately.
After this, there would be a file called Info.txt in the same location where Test.bat was present. Open the Info.txt and post it's contents here.

0

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-07-27, 08:19:24, Auto-clean mode specified.
2005-07-27, 08:19:24, Running scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\TSC.BIN"...
2005-07-27, 08:20:12, Scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\TSC.BIN" has finished running.
2005-07-27, 08:20:12, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows 98

Start time : Wed Jul 27 2005 08:19:28

Load Damage Cleanup Template (DCT) "C:\WINDOWS\DESKTOP\SYSCLEAN\tsc.ptn" (version 629) [success]

Complete time : Wed Jul 27 2005 08:20:12
Execute pattern count(4156), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-07-27, 08:20:35, An error occurred while scanning file "C:\WINDOWS\WIN386.SWP": Access is denied.
2005-07-27, 08:50:00, Running scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN"...
2005-07-27, 09:45:20, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/27/2005 09:23:17
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 745 (105198 Patterns) (2005/07/25) (274500)
Command Line: C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\WINDOWS\DESKTOP\SYSCLEAN

44318 files have been read.
44318 files have been checked.
17495 files have been scanned.
38247 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/27/2005 09:45:17
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-27, 09:45:20, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/27/2005 09:23:17
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 745 (105198 Patterns) (2005/07/25) (274500)
Command Line: C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\WINDOWS\DESKTOP\SYSCLEAN

44318 files have been read.
44318 files have been checked.
17495 files have been scanned.
38247 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/27/2005 09:45:17 21 minutes 54 seconds (1314.59 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-27, 09:45:20, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/27/2005 09:23:17
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 745 (105198 Patterns) (2005/07/25) (274500)
Command Line: C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\WINDOWS\DESKTOP\SYSCLEAN

44318 files have been read.
44318 files have been checked.
17495 files have been scanned.
38247 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/27/2005 09:45:17 21 minutes 54 seconds (1314.59 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-27, 09:45:20, Scanner "C:\WINDOWS\DESKTOP\SYSCLEAN\VSCANTM.BIN" has finished running.
===============================================


And heres my HJT log

===============================================
Logfile of HijackThis v1.99.1
Scan saved at 9:56:21 AM, on 07/27/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.edgarheape.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [kavsvc] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 208.128.224.2,208.228.231.90
===============================================


And heres the results from the new test.bat

REGEDIT4

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}]

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript]

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID]

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32]
@="C:\\PROGRAM FILES\\KASPERSKY LAB\\KASPERSKY ANTI-VIRUS PERSONAL\\AVPSCRCH.DLL"
"OriginalDll"="C:\\Windows\\System\\Jscript.dll"
"Threadingmodel"="both"

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}]

[HKEY_CLASSES_ROOT\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}]

---------------------------------------------------


I've enabled full protection with spyware blaster and have reset web settings.


-Still getting hotbar.com's, loadingwebsite.com's, etc. popups. even when IE isnt open

-Still getting my VBscript error message

+BUT...... IE isnt crashing on search engines any more :)

0

I'm getting a new annoying message now when opening web pages........

---------------------------------------------------------------------------------
(Microsoft Visual C++ Runtime Libary)

Program: C:\Windows\RUNDLL32.exe

A buffer overrun has been detected which has corrupted the program's internal state. This program cannot safely continue execution and must now be terminated
---------------------------------------------------------------------------------

Solve one problem and get a new one :(

0

Hi,
Download FxHotbar and FxSpL2Me from Symantec.
Run both of the tools one after another to scan your PC.

Another batch file ;-) , open NotePad, and copy the contents of the below "Quote" box:-

regedit /e test1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies"
regedit /e test2.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
copy test1.txt + test2.txt = info.txt

del test1.txt
del test2.txt

Go to File Menu > Save As, and save the file with the name Test.bat and exit from NotePad.

Double-Click on the file Test.bat, a small DOS type window should open and close immediately.
After this, there would be a file called Info.txt in the same location where Test.bat was present. Open the Info.txt and post it's contents here.

0

Those scans both said that hotbar and look2me "have not been found on this computer"


Heres the batch file results.
------------------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"HideSharePwds"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings]

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"EditLevel"=dword:00000000
"NoRun"=dword:00000000
"NoClose"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoFileMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
------------------------------------------------------------

0

Hi,

Download VX2Finder and run it. Click the button "Click to find VX2.Betterinternet" and after this, click "Make Log". If it does not create any log, copy the contents shown in the text box, and post it here.


Download HotBar Uninstaller and run it.

Open NotePad, and copy the contents of the below "Quote" box:-

cd %windir%
cd system
dir *.dll /od > C:\Temp1.txt
cd %windir%
cd system32
dir *.dll /od > C:\Temp2.txt
cd c:\
copy Temp1.txt + Temp2.txt = Filelst.txt
del Temp1.txt
del Temp2.txt

Go to File Menu > Save As, and save the file with the name Find.bat and exit from NotePad.

Double-Click on the file Find.bat, a small DOS type window should open and close immediately.
After this, there would be a file called Filelst.txt in C:\ drive. Open thrat file, and post it's conents here.

Also, if you are not able to browse in Internet Explorer, you can use alternate browser FireFox.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.