Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

JEANRENE

7 Posts

917

February 17th, 2005 15:00

Persistent virus please help

I am in a nightmare.

My system dell dimension 4100 pentium 800 256 ram 20 g on c: 60g on d:

Friday night i was surfing happily when suddenly spybot tea-timer warned me of changes in the registry I tried to dismiss all changes but my computer freezes. Try to reboot but when I restart I was stuck in the desktop with the hourglass frizzed.

I wanted to restart from a floppy but bad luck the floppy –driver broke ate the disk and died.

I went to a computer store they changed the floppy a : ok and said they made a deep virus scan and that my computer was clean.

Well I went back home and switched down everything and bang green desktop empty frozen hourglass.

Started in safe mode again deleted 2 giga in the c : unchecked some stuff in the msconfig. This seems to make a lot of well and restarted wih my usual desktop.

Run spybot who found a lot of stuff ad-aware dito. Norton found nothing.

Ran a2 found nothing but norton awaked and found me two virus quarantined.

But I was still with persistent virus a line in the ms config appeared with sp / run dll32 :c windows /temp /sp dll install that fff! stuff rechecks itself periodically. So I decided to destroy that dll.

Randomly a popup flashes from an unknown reseller telling me that my computer is infected. At that time i cant do anything with my stuff . kill process that comes back again.

What I tried ran adaware and spybot several time…

Scan on line tend micro and bitdefender.

Nothing good.

Cwshreder fixed some stuff…

My temporary internet files makes more than two gigas ( !) how can i clean that !

Well last night it was worst no internet at all.

AOL freeze at starting tried to install AOL 9 installation aborted reboot empty desktop and so on. Every time that i try to open AOL system freeze.

Worked a little bit in safe mode but without any results.

This morning miracle normal desktop. Ran Norton and splash two virus quarantined.

The man at computer shop have always the same answer format and reinstall but i am not ready.

Help me in am going insane. !

cghost

302 Posts

February 17th, 2005 18:00

I suspect you are working on a coolwebsearch variant. There is one that has an sp.dll in c:\windows\temp

See if this scan finds anything else:
http://www.mwti.net/antivirus/free_utilities.asp

For temp files cleanup this might help:
http://castlecops.com/reviews-189.html

 

zbestwun2001

4 Apprentice

 • 

8.8K Posts

February 17th, 2005 19:00

Let's start this way:
Go to here and do an online scan and delete whatever it finds. Be sure to highlight the drives you want to have searched.
After that could you please go to here
and download AdAwareSE and delete what it finds. Then while using
AdAware, click on add-ons and get their plug-in for the VX2 variant,
and run that and delete what it finds.
After that go to here
and download SpyBot and run that and delete what it finds.
Now go to
here and download HiJackThis to its own folder that you create on your C:\ drive.
After it is downloaded open the program and click Scan and Save to log.

Post the log that it generates here.

Steve

JEANRENE

7 Posts

February 17th, 2005 19:00

Thanks you indeed to all

really its weird when I came by home everything was ok.

My son was happily surfing and so.. try to update Norton ad-aware and spybot and same scenario...

everything frozen

ran about buster fixzd one or two thing

Safe mode twice norton pushed me out in safe mode and dont' know why

perfect reboot everything in fine

I try to post my Hijack tomorrrow

greetings pal

jr

JEANRENE

7 Posts

February 18th, 2005 08:00

OOps I forgot something I am running on windows 98 se
well this not okay at all
this morning windows started back again I ran norton who found me some virus
trojan.start page five copies of sp.dll and so on. ran ad-aware who found malware and destoyed it
the only trouble is that I have no more access to explorer everytime i click on my computer icon explorer.exe freezes and I have to reset.
here is a copy of hijack log
Logfile of HijackThis v1.99.1
Scan saved at 21:38:42, on 17/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.fr.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O2 - BHO: bhoEvents Class - {FC4C5EAE-66EE-11D4-BC67-0000E8E582D2} - C:\WINDOWS\E2BHO.DLL
O2 - BHO: (no name) - {D5F1B0A2-FD01-11D7-B0FA-0090D08E34C2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [Barre d'état système] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Chercher avec Copernic 2001 - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: EasyClick - {05575EC1-B47D-11d3-8F04-00105A9965CA} - C:\WINDOWS\E2BAR.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Dell Home - {2575C900-F179-11D4-B0FA-0080AD200DA9} - http://www.euro.dell.com/countries/fr/fra/gen/default.htm (file missing) (HKCU)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .wma: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .wvx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.fr
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/dell/site/PCPitStop.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://api.ehmel.hachette-multimedia.fr/ehm/includes/js/tdserver.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {17D8B270-9C15-11D3-8F03-00105A9965CA} (EasyClick Control) - http://www.easyclick.com/ie/pc/ec.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0352fbef0745546c1121/netzip/RdxIE601_fr.cab
O16 - DPF: {5CA8D349-C6E7-11D4-8166-009027DF3BB2} (France Telecom MDDK ActiveX Control) - http://accueil.ava.serveur-ava.com/stkid_data/ocx/mDKid.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/2.0.0.33/player.virtools.com/downloads/player/Install2.0/Installer.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {981D847D-2C06-4FB7-A09C-4F0A48601B2C} (DiagSetup Class) - http://techcity.aol.fr/download/img/DiagSetup.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
O21 - SSODL: systemie - {3D3B5A60-2AA5-11D8-B0FA-0090D08E34C2} - sysie.dll (file missing)
I do not know what to do
regards jr

Midnight Star

4.8K Posts

February 21st, 2005 22:00

Jean,

Hello! and welcome to the Dell forums.

-

Let's start with this - there's a few more entry(s) that look really suspicious to me, but we'll leave those until the next pass.


If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u E2BHO.DLL

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.



Run HiJackThis and click " Scan", then check(tick) the following, if present:


R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL

O2 - BHO: bhoEvents Class - {FC4C5EAE-66EE-11D4-BC67-0000E8E582D2} - C:\WINDOWS\E2BHO.DLL
O2 - BHO: (no name) - {D5F1B0A2-FD01-11D7-B0FA-0090D08E34C2} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL (file missing)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O9 - Extra button: EasyClick - {05575EC1-B47D-11d3-8F04-00105A9965CA} - C:\WINDOWS\E2BAR.DLL

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0352fbef0745546c1121/netzip/RdxIE601_fr.cab


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\E2BHO.DLL
C:\WINDOWS\E2BAR.DLL

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log, and let me know how everything goes.

-

Mike.

JEANRENE

7 Posts

February 22nd, 2005 17:00

Thank you mike just two questions I thought the command to unregister the dll was strictly XP and I am under win98
can I ran Hijackthis in normal mode? I tried in safe mode buts its kills my eyes.
the two ddll you mentioned are in windows folder ok I already try to locate them by the windows find or search option sorry I translate from frenc but in vain
see you
JR

Midnight Star

4.8K Posts

February 22nd, 2005 23:00

JeanRene,
 
Your more than welcome!
 
-
 
Thanks for the good info! I'll have to add that to my software so it doesn't kick out that step on anything other than an XP system.
 
Yes you can; HiJackThis can be run from normal mode. You should be able to delete the files you've located in the windows folder.
 
It's ok. It took me a few passes, but I think you and I have done very well working together on this one.
 
 
Mike.
 

Was this post helpful?

View All

No Events found!

Top