- Main Page
- News Editions

PC Review

Forums

Microsoft AntiSpyware

Spyware Application Compatibility

RUNDLL

Reply

RUNDLL

Rate Thread

18-03-2005, 05:37 PM	#1
Fran Guest Posts: n/a	RUNDLL I get the following message after clicking any user: error loading c:\windows\systems32\msiefp40.dll. the specified module could not be found. Any ideas? thanks.

18-03-2005, 08:04 PM	#2
Ron Kiner Guest Posts: n/a	RUNDLL Something has removed spyware but forgotten to remove the registry entry that started it up. Start, Run, regedit, OK and then Edit Find and search for msiefp40.dll. You will probably find a key with a value of "runddl c:\Windows\system32\msiefp40.dll" Highlight it and delete it. Search again to make sure it doesn't show up again. Ron

18-03-2005, 11:03 PM	#3
Fran Guest Posts: n/a	RUNDLL I found one file and deleted it. another search showed nothing, but I still get the same error message "rundll". Thanks >-----Original Message----- >Something has removed spyware but forgotten to remove the >registry entry that started it up. Start, Run, regedit, >OK and then Edit Find and search for msiefp40.dll. You >will probably find a key with a value of "runddl >c:\Windows\system32\msiefp40.dll" Highlight it and delete >it. > >Search again to make sure it doesn't show up again. > >Ron >. >

21-03-2005, 02:28 AM	#4
Ron Kinner Guest Posts: n/a	RUNDLL Get HijackThis from http://tomcoyote.org/hjt/hjt199//HijackThis.exe and let it Scan your system and Save Log. (Save it where you can find it again.) then send me the log. I will tell you what to do next. Ron Kinner

21-03-2005, 08:34 AM	#5
Fran Guest Posts: n/a	RUNDLL Here's the log. thanks Logfile of HijackThis v1.99.1 Scan saved at 2:09:02 AM, on 3/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\system32\cisvc.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\ezSP_Px.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\AWS\WeatherBug\Weather.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\iexplore.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Fran Marren\Local Settings\Temporary Internet Files\Content.IE5\8DARKL23 \HijackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R3 - URLSearchHook: (no name) - {269B6797-664E-48AA-B283- B012BDF6E525} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 \Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E- AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2 \eBayTB.dll O2 - BHO: (no name) - {C1A00154-3136-4A17-A22F- DE63A48A1A4F} - blank (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758- 209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA- F27BA787AD2D} - (no file) O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4- 0004ACA6948E} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683- 905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E- F68587A44A73} - blank (file missing) O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93- B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2 \eBayTB.dll O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32 \DSentry.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1 \mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1 \mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1 \mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer O4 - HKLM\..\Run: [dos] dos64.exe O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1 \NoPops\PopupKillerGUI.exe /nosplash O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMai n O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [POPUP BLOCKER] "C:\Program Files\AirSpell\POPUP BLOCKER\POPUP BLOCKER.exe" O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Fran Marren\HXIUL.EXE O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2 \eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZPxdm183XXUS O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4- DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D- 00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE- 00C0F0318AFE} - (no file) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7- A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E- 00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198- B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/gam...ts/y/pyt1_x.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409 O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1...coupons.com/v7/ brix6ie.cab O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...klers/AWS/MiniB ugTransporter.cab? O16 - DPF: {3F1A2503-C1E0-4980-93DA-C64E44507EC1} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v12/invinstl.exe O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptpro...internetwasherp ro.cab O16 - DPF: {44EF3799-53A0-4D7A-BD9F-DC103F2FB8D9} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,76/mcinsctl.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...l/installs/suit e/autocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games- dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,19/mcgdmgr.cab O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1 \McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe >-----Original Message----- >Get HijackThis from > >http://tomcoyote.org/hjt/hjt199//HijackThis.exe > >and let it Scan your system and Save Log. (Save it where >you can find it again.) then send me the log. I will tell >you what to do next. > >Ron Kinner >. >

21-03-2005, 08:36 PM	#6
Ron Kinner Guest Posts: n/a	RUNDLL HijackThis works best in Safe Mode [(F8) during a boot and select Safe Mode Without Networking ]. Make sure you have a copy of winsockxpfix.exe just in case you can't get to the internet afterwards. http://www.iup.edu/house/resnet/winfix.shtm If you check this item and then Fix Checked that will get rid of your error message. O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer However, You have at least two more active spyware infections: O4 - HKLM\..\Run: [dos] dos64.exe O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Fran Marren\HXIUL.EXE and a possible W32.Pandem.C.Worm infection: O4 - HKCU\..\Run: [POPUP BLOCKER] "C:\Program Files\AirSpell\POPUP BLOCKER\POPUP BLOCKER.exe" You also have a lot of dead toolbars and such: R3 - URLSearchHook: (no name) - {269B6797-664E-48AA-B283- B012BDF6E525} - (no file) O2 - BHO: (no name) - {C1A00154-3136-4A17-A22F- DE63A48A1A4F} - blank (file missing) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA- F27BA787AD2D} - (no file) O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4- 0004ACA6948E} - (no file) O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E- F68587A44A73} - blank (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE- 00C0F0318AFE} - (no file) and two nasty searchbar downloads: O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZPxdm183XXUS O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4- DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll I don't trust anything with coupon in its name: O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1...coupons.com/v7/ brix6ie.cab I'd check all of the above and then hit Fix Checked. You will note that the spykiller did not do a very good job so hopefully you got it for free. I'd uninstall it and your popup stoppers. Rely on Microsoft AntiSpy and the best free popup stopper I've found is EMS Free Surfer mk II. http://emsproject.com/FS/Download.htm Select EMS Free Surfer mk II v. 2.1.026, multilanguage I don't like Weatherbug because it uses up a lot of network resources and also because it automatically gives you one of those nasty searchbars unless you uncheck it during install but I understand the official Microsoft position (after Wartherbug threatened to sue) is that it is not spyware so I'm not flagging it tho we do not allow it in our company. You also have a resource hog probably left over from Turbotax 2002: O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE Turbotax installed this junk one year to keep you from copying their program. Problem is it runs all of the time and eats up memory and cpu cycles. Start then Right Click on My Computer and select Manage then Services and Applications then Services. Find C-Dilla in the right hand pane and double click on it. Set it to start manually or Disabled and Stop it. If it turns out that something needs it you can always turn it back on the same way. Reboot when done and run another HijackThis and post a new log so I can see how we did. If you don't hear from me right away send me an email. I have to monitor this forum via a browser and it's hard to see when new stuff shows up if it is not on the first page. Ron

22-03-2005, 12:41 AM	#7
Fran Guest Posts: n/a	RUNDLL Ron New log. the error message is gone. Thanks, Fran Logfile of HijackThis v1.99.1 Scan saved at 6:35:52 PM, on 3/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\ezSP_Px.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\system32\nvsvc32.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Fran Marren\Local Settings\Temporary Internet Files\Content.IE5 \NYSZJL8P\HijackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D- 784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 \Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E- AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2 \eBayTB.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758- 209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683- 905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93- B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2 \eBayTB.dll O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32 \DSentry.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1 \mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1 \mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1 \mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1 \mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1 \NoPops\PopupKillerGUI.exe /nosplash O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMai n O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2 \eBayTb.dll/RCSearch.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D- 00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7- A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E- 00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198- B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://64.55.105.205/Java/cfs31229.cab O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/gam...ts/y/pyt1_x.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409 O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/stop-sign_pop.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...klers/AWS/MiniB ugTransporter.cab? O16 - DPF: {3F1A2503-C1E0-4980-93DA-C64E44507EC1} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v12/invinstl.exe O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptpro...internetwasherp ro.cab O16 - DPF: {44EF3799-53A0-4D7A-BD9F-DC103F2FB8D9} (MSN Money QuickList) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en- us/4,0,0,76/mcinsctl.cab O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...l/installs/suit e/autocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games- dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en- us/1,0,0,19/mcgdmgr.cab O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1 \McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe >-----Original Message----- >HijackThis works best in Safe Mode [(F8) during a boot and >select Safe Mode Without Networking ]. Make sure you have >a copy of winsockxpfix.exe just in case you can't get to >the internet afterwards. > >http://www.iup.edu/house/resnet/winfix.shtm > >If you check this item and then Fix Checked that will get >rid of your error message. > >O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe >C:\WINDOWS\System32\msiefr40.dll,DllRunServer > >However, You have at least two more active spyware >infections: > >O4 - HKLM\..\Run: [dos] dos64.exe >O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program >Files\Alset\HelpExpress\Fran Marren\HXIUL.EXE > >and a possible W32.Pandem.C.Worm infection: > >O4 - HKCU\..\Run: [POPUP BLOCKER] "C:\Program >Files\AirSpell\POPUP BLOCKER\POPUP BLOCKER.exe" > > >You also have a lot of dead toolbars and such: > >R3 - URLSearchHook: (no name) - {269B6797-664E-48AA-B283- >B012BDF6E525} - (no file) > >O2 - BHO: (no name) - {C1A00154-3136-4A17-A22F- >DE63A48A1A4F} - blank (file missing) > >O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA- >F27BA787AD2D} - (no file) > >O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4- >0004ACA6948E} - (no file) > >O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E- >F68587A44A73} - blank (file missing) > >O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE- >00C0F0318AFE} - (no file) > >and two nasty searchbar downloads: > >O8 - Extra context menu item: &Search - >http://bar.mywebsearch.com/menusear...?p=ZPxdm183XXUS >O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4- >DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll > >I don't trust anything with coupon in its name: > >O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} >(Brix6ie Control) - >http://a19.g.akamai.net/7/19/7125/1....coupons.com/v7 / >brix6ie.cab > > >I'd check all of the above and then hit Fix Checked. You >will note that the spykiller did not do a very good job so >hopefully you got it for free. I'd uninstall it and your >popup stoppers. Rely on Microsoft AntiSpy and the best >free popup stopper I've found is EMS Free Surfer mk II. > >http://emsproject.com/FS/Download.htm > >Select > >EMS Free Surfer mk II v. 2.1.026, multilanguage > > > >I don't like Weatherbug because it uses up a lot of >network resources and also because it automatically gives >you one of those nasty searchbars unless you uncheck it >during install but I understand the official Microsoft >position (after Wartherbug threatened to sue) is that it >is not spyware so I'm not flagging it tho we do not allow >it in our company. > >You also have a resource hog probably left over from >Turbotax 2002: > >O23 - Service: C-DillaCdaC11BA - Macrovision - >C:\WINDOWS\System32\drivers\CDAC11BA.EXE > > >Turbotax installed this junk one year to keep you from >copying their program. Problem is it runs all of the time >and eats up memory and cpu cycles. Start then Right Click >on My Computer and select Manage then Services and >Applications then Services. Find C-Dilla in the right >hand pane and double click on it. Set it to start >manually or Disabled and Stop it. If it turns out that >something needs it you can always turn it back on the same >way. > >Reboot when done and run another HijackThis and post a new >log so I can see how we did. If you don't hear from me >right away send me an email. I have to monitor this forum >via a browser and it's hard to see when new stuff shows up >if it is not on the first page. > >Ron > > > > >. >

22-03-2005, 11:14 PM	#8
Ron Kinner Guest Posts: n/a	RUNDLL Log looks pretty clean. You still have the resource hog: O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE but I don't see anything I recognize as spyware. Ron

23-03-2005, 12:18 AM	#9
Fran Guest Posts: n/a	RUNDLL Ron, Thanks for all your help, my system is working fine. Thanks, Fran >-----Original Message----- >Log looks pretty clean. You still have the resource hog: > >O23 - Service: C-DillaCdaC11BA - Macrovision - >C:\WINDOWS\System32\drivers\CDAC11BA.EXE > >but I don't see anything I recognize as spyware. > >Ron >. >

Reply

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are On [IMG] code is On HTML code is Off

Please enter the search terms in the box below to search the entire site.