RUNDLL

[Fran]

I get the following message after clicking any user:
error loading c:\windows\systems32\msiefp40.dll. the
specified module could not be found. Any ideas? thanks.

 

[Ron Kiner]

Something has removed spyware but forgotten to remove the
registry entry that started it up. Start, Run, regedit,
OK and then Edit Find and search for msiefp40.dll. You
will probably find a key with a value of "runddl
c:\Windows\system32\msiefp40.dll" Highlight it and delete
it.

Search again to make sure it doesn't show up again.

Ron

 

[Fran]

I found one file and deleted it. another search showed
nothing, but I still get the same error message "rundll".

Thanks

 

[Ron Kinner]

Get HijackThis from

http://tomcoyote.org/hjt/hjt199//HijackThis.exe

and let it Scan your system and Save Log. (Save it where
you can find it again.) then send me the log. I will tell
you what to do next.

Ron Kinner

 

[Fran]

Here's the log. thanks

Logfile of HijackThis v1.99.1
Scan saved at 2:09:02 AM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Fran Marren\Local
Settings\Temporary Internet Files\Content.IE5\8DARKL23
\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.dellnet.com
R3 - URLSearchHook: (no name) - {269B6797-664E-48AA-B283-
B012BDF6E525} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-
AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2
\eBayTB.dll
O2 - BHO: (no name) - {C1A00154-3136-4A17-A22F-
DE63A48A1A4F} - blank (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-
F27BA787AD2D} - (no file)
O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4-
0004ACA6948E} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-
F68587A44A73} - blank (file missing)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-
B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2
\eBayTB.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32
\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [dos] dos64.exe
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1
\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [ViewMgr] C:\Program
Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA]
RUNDLL32.exe "C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMai
n
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px]
C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eBayToolbar] C:\Program
Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\Program
Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [POPUP BLOCKER] "C:\Program
Files\AirSpell\POPUP BLOCKER\POPUP BLOCKER.exe"
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Fran Marren\HXIUL.EXE
O4 - HKCU\..\Run: [SpyKiller] C:\Program
Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search -
res://C:\Program Files\eBay\eBay Toolbar2
\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZPxdm183XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window -
res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-
DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-
00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-
00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-
A9046DEA8A21} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-
B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
(HKCU)
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 -
http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: Yahoo! Pyramids -
http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
(SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35}
(Brix6ie Control) -
http://a19.g.akamai.net/7/19/7125/1405/ftp.coupons.com/v7/
brix6ie.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -
http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
(MiniBugTransporterX Class) -
http://download.weatherbug.com/minibug/tricklers/AWS/MiniB
ugTransporter.cab?
O16 - DPF: {3F1A2503-C1E0-4980-93DA-C64E44507EC1} (MSN
Money QuickList) -
http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
http://64.156.188.99/iwasher/pptproactauth/internetwasherp
ro.cab
O16 - DPF: {44EF3799-53A0-4D7A-BD9F-DC103F2FB8D9} (MSN
Money QuickList) -
http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,76/mcinsctl.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suit
e/autocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F}
(RealArcadeRdxIE Class) - http://games-
dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} -
http://www.spyblast.com/download/SBFullSInst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown
owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager
(mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1
\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime
Engine (MCVSRte) - Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\SPTISRV.exe

 

[Ron Kinner]

HijackThis works best in Safe Mode [(F8) during a boot and
select Safe Mode Without Networking ]. Make sure you have
a copy of winsockxpfix.exe just in case you can't get to
the internet afterwards.

http://www.iup.edu/house/resnet/winfix.shtm

If you check this item and then Fix Checked that will get
rid of your error message.

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer

However, You have at least two more active spyware
infections:

O4 - HKLM\..\Run: [dos] dos64.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Fran Marren\HXIUL.EXE

and a possible W32.Pandem.C.Worm infection:

O4 - HKCU\..\Run: [POPUP BLOCKER] "C:\Program
Files\AirSpell\POPUP BLOCKER\POPUP BLOCKER.exe"


You also have a lot of dead toolbars and such:

R3 - URLSearchHook: (no name) - {269B6797-664E-48AA-B283-
B012BDF6E525} - (no file)

O2 - BHO: (no name) - {C1A00154-3136-4A17-A22F-
DE63A48A1A4F} - blank (file missing)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-
F27BA787AD2D} - (no file)

O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4-
0004ACA6948E} - (no file)

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-
F68587A44A73} - blank (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-
00C0F0318AFE} - (no file)

and two nasty searchbar downloads:

O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZPxdm183XXUS
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-
DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll

I don't trust anything with coupon in its name:

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35}
(Brix6ie Control) -
http://a19.g.akamai.net/7/19/7125/1405/ftp.coupons.com/v7/
brix6ie.cab


I'd check all of the above and then hit Fix Checked. You
will note that the spykiller did not do a very good job so
hopefully you got it for free. I'd uninstall it and your
popup stoppers. Rely on Microsoft AntiSpy and the best
free popup stopper I've found is EMS Free Surfer mk II.

http://emsproject.com/FS/Download.htm

Select

EMS Free Surfer mk II v. 2.1.026, multilanguage



I don't like Weatherbug because it uses up a lot of
network resources and also because it automatically gives
you one of those nasty searchbars unless you uncheck it
during install but I understand the official Microsoft
position (after Wartherbug threatened to sue) is that it
is not spyware so I'm not flagging it tho we do not allow
it in our company.

You also have a resource hog probably left over from
Turbotax 2002:

O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE


Turbotax installed this junk one year to keep you from
copying their program. Problem is it runs all of the time
and eats up memory and cpu cycles. Start then Right Click
on My Computer and select Manage then Services and
Applications then Services. Find C-Dilla in the right
hand pane and double click on it. Set it to start
manually or Disabled and Stop it. If it turns out that
something needs it you can always turn it back on the same
way.

Reboot when done and run another HijackThis and post a new
log so I can see how we did. If you don't hear from me
right away send me an email. I have to monitor this forum
via a browser and it's hard to see when new stuff shows up
if it is not on the first page.

Ron

 

[Fran]

Ron

New log. the error message is gone.

Thanks,

Fran


Logfile of HijackThis v1.99.1
Scan saved at 6:35:52 PM, on 3/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Fran Marren\Local
Settings\Temporary Internet Files\Content.IE5
\NYSZJL8P\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.dellnet.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0
\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-
AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2
\eBayTB.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-
B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2
\eBayTB.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32
\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1
\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [ViewMgr] C:\Program
Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA]
RUNDLL32.exe "C:\Program
Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMai
n
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px]
C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [eBayToolbar] C:\Program
Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Weather] C:\Program
Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpyKiller] C:\Program
Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search -
res://C:\Program Files\eBay\eBay Toolbar2
\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window -
res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-
00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-
A9046DEA8A21} - C:\Program Files\Microsoft
Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-
B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
(HKCU)
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 -
http://64.55.105.205/Java/cfs31229.cab
O16 - DPF: Yahoo! Pyramids -
http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
(SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} -
http://www.stop-sign.com/pub/download/stop-sign_pop.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
(MiniBugTransporterX Class) -
http://download.weatherbug.com/minibug/tricklers/AWS/MiniB
ugTransporter.cab?
O16 - DPF: {3F1A2503-C1E0-4980-93DA-C64E44507EC1} (MSN
Money QuickList) -
http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
http://64.156.188.99/iwasher/pptproactauth/internetwasherp
ro.cab
O16 - DPF: {44EF3799-53A0-4D7A-BD9F-DC103F2FB8D9} (MSN
Money QuickList) -
http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,76/mcinsctl.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466}
(HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suit
e/autocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F}
(RealArcadeRdxIE Class) - http://games-
dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} -
http://www.spyblast.com/download/SBFullSInst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN
Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown
owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager
(mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1
\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime
Engine (MCVSRte) - Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony
Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\SPTISRV.exe

-----Original Message-----
HijackThis works best in Safe Mode [(F8) during a boot and
select Safe Mode Without Networking ]. Make sure you have
a copy of winsockxpfix.exe just in case you can't get to
the internet afterwards.

http://www.iup.edu/house/resnet/winfix.shtm

If you check this item and then Fix Checked that will get
rid of your error message.

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer

However, You have at least two more active spyware
infections:

O4 - HKLM\..\Run: [dos] dos64.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Fran Marren\HXIUL.EXE

and a possible W32.Pandem.C.Worm infection:

O4 - HKCU\..\Run: [POPUP BLOCKER] "C:\Program
Files\AirSpell\POPUP BLOCKER\POPUP BLOCKER.exe"


You also have a lot of dead toolbars and such:

R3 - URLSearchHook: (no name) - {269B6797-664E-48AA-B283-
B012BDF6E525} - (no file)

O2 - BHO: (no name) - {C1A00154-3136-4A17-A22F-
DE63A48A1A4F} - blank (file missing)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D3FA-
F27BA787AD2D} - (no file)

O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4-
0004ACA6948E} - (no file)

O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-
F68587A44A73} - blank (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-
00C0F0318AFE} - (no file)

and two nasty searchbar downloads:

O8 - Extra context menu item: &Search -
http://bar.mywebsearch.com/menusearch.html?p=ZPxdm183XXUS
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-
DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll

I don't trust anything with coupon in its name:

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35}
(Brix6ie Control) -
http://a19.g.akamai.net/7/19/7125/1405/ftp.coupons.com/v7 /
brix6ie.cab


I'd check all of the above and then hit Fix Checked. You
will note that the spykiller did not do a very good job so
hopefully you got it for free. I'd uninstall it and your
popup stoppers. Rely on Microsoft AntiSpy and the best
free popup stopper I've found is EMS Free Surfer mk II.

http://emsproject.com/FS/Download.htm

Select

EMS Free Surfer mk II v. 2.1.026, multilanguage



I don't like Weatherbug because it uses up a lot of
network resources and also because it automatically gives
you one of those nasty searchbars unless you uncheck it
during install but I understand the official Microsoft
position (after Wartherbug threatened to sue) is that it
is not spyware so I'm not flagging it tho we do not allow
it in our company.

You also have a resource hog probably left over from
Turbotax 2002:

O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE


Turbotax installed this junk one year to keep you from
copying their program. Problem is it runs all of the time
and eats up memory and cpu cycles. Start then Right Click
on My Computer and select Manage then Services and
Applications then Services. Find C-Dilla in the right
hand pane and double click on it. Set it to start
manually or Disabled and Stop it. If it turns out that
something needs it you can always turn it back on the same
way.

Reboot when done and run another HijackThis and post a new
log so I can see how we did. If you don't hear from me
right away send me an email. I have to monitor this forum
via a browser and it's hard to see when new stuff shows up
if it is not on the first page.

Ron




.

 

[Ron Kinner]

Log looks pretty clean. You still have the resource hog:

O23 - Service: C-DillaCdaC11BA - Macrovision -
C:\WINDOWS\System32\drivers\CDAC11BA.EXE

but I don't see anything I recognize as spyware.

Ron

 

[Fran]

Ron,

Thanks for all your help, my system is working fine.

Thanks,

Fran