Please Help! I can't even run I.Explorer - -

I can't run Internet Explorer!

It started while I was looking at adds on the net. All of a sudden, my screen filled with pop-ups, and the bar along the bottom of the display, where all the tasks are listed, became full of small "http--" to the point that only "ht" would be displayed. I couldn't close them.

Then, the home page changed automatically to 'aboutblank', and even though I have manually reset it to Google of MSN several times before even starting the program (by going to its properties) it reverts to 'aboutblank'.

Anyway, I ran Ad-Adware and Spybot three times already, and found and fixed a few items, but the problem persists. I have deleted several files myself, including many with the word 'pop' within the files names, which I had not seen before. This has done no good so far.

With all this pop-ups, the PC gets low in resources very fast, and I have to shut it down.

Upon booting up, I can tell that something new (since today) is started running by how long it takes it to finally be ready, but pressing Alt-Ctrl-Del does not reveal any unsual tasks.

(Edit to add: I even have my Advanced Security set so no programs can be downloaded - not much good, I guess.)

PLEASE PLEASE HELP ME -
I need to access the internet for work, and I can't get past the opening screen!

A Googol Thanks! (not goggle..)

Alex

 

From Quicklinks in my signature, download the latest version of Hijackthis (should be 1.98.2) and put the .exe in a folder of it's own. C:\hjt is good. Just avoid placing it in a temp folder or directly on the desktop.

Run the .exe and click the option to scan. When it's done you'll have an option to save a log file. Do that and when it's saved a copy will open in notepad. Select the entire log file and post it here. From the sounds of things it will be a long one so you may have to split it into 2 or three replies.

You will get very specific instructions about what to do from there. Not a good idea to start fixing things on your own though since HJT doesn't know or care about bad-things vs. good-things and you can easily do damage unless you know exactly what you are doing.

Meanwhile, make sure you have the latest version of Spybot (1.3) with updated ref files and set it to immunize. Then download and update spywareblaster (also in quicklinks) and let it block all the baddies it can find. Won't help much right now but will avoid your getting lots of this junk again after we get it fixed.

 

Newt,
Thanks for replying -

Please remember, once I connect with the internet with my PC - the one with the problem, I am not able to do anything. This one, the one I am using now, is not mine. Can I donwload here, save it to a disk (I hope a CD) and then load onto my PC, and go from there?

Again, thanks for you help - much appreciated.

Alex

 

The Hijackthis exe is under 200Kb so it will fit easily on a floppy.

No install needed so just copy it to the infected PC and run it. You can save the log file back to the floppy since at most it will be 10-15Kb.

The strong recommendation to put it in a folder of it's own is since any changes you make with Hijackthis will create backup files that should stay in one place.

 

I ran HighJackThis, here are the results:
Logfile of HijackThis v1.98.2
Scan saved at 4:12:00 PM, on 8/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {126EBABD-43F7-44A6-941E-FCA6E3C22C4D} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O18 - Filter: text/html - {A2B52B71-584B-4C19-B6A4-08FE74CD7007} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL
O18 - Filter: text/plain - {A2B52B71-584B-4C19-B6A4-08FE74CD7007} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL

Is this what I was supposed to do, and if so, what's next?

Again, Thank you so much!

Alex

 

That was exactly what you needed to do.

I found some stuff that needs removing but I wasn't able to find the source of the problem so more investigating needed.

No sign of any antivirus program running and that's not good. For now, once you get the cleaning below done so hopefully you can get to the internet for a while, so a scan at one of the online sites that will remove any infections found. In quicklinks (from my signature) go to the eTrust site since it will clean what it finds.

But first, take care of the below items.

C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH. EXE

Office XP search tool and as with other versions of 'Fast Find', a resource hog that doesn't work particularly well so start~run~msconfig and disable it from running at startup. Not spyware but just an item Microsoft never does seem to have gotten quite right.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
Placed there by a hijack so run Hijackthis, check each one, and let Hijackthis remove the entries.

C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
More system sludge you don't need starting every time you boot up so another to disable with msconfig.

O2 - BHO: (no name) - {126EBABD-43F7-44A6-941E-FCA6E3C22C4D} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL
O18 - Filter: text/html - {A2B52B71-584B-4C19-B6A4-08FE74CD7007} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL
O18 - Filter: text/plain - {A2B52B71-584B-4C19-B6A4-08FE74CD7007} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL
I can't find any information on this one which is often a bad sign. Unless you know what it is and have it loaded for a reason, I'd remove these with Hijackthis also and then rename the file to bhpieda.dll-old so it won't be actively doing anything but so you can rename it if something is broken.

From your browser, empty the temporary internet files and dump all cookies.

From windows explorer, empty all \temp folders on the PC.

Then do an online virus scan and after that, make sure your version of Spybot is up to date (v1.3 and then get any updates). Then get, install, update, and run Ad-aware (also in Quicklinks) and let it remove anything it finds.

Next I strongly suggest you get some onboard AV protection. The free version of AVG is good.

Then another run of Hijackthis to create a log and post it.

Hopefully one of the real security experts will spot something I've missed or have some other ideas about the cause of your problems. I've not suggested a reboot since I'm thinking that until we find a cause, a reboot might just reload some junk again.

 

Newt,
Did all steps as you suggested, including removing th ecookies and lther temp files. Then ran Ad-Aware (found three objects - removed) and SpyBot (just found DSO Exploit - removed)

Turn the PC off and then ON, started Internet Explorer, and suffered the same problem - pop ups galore. So I still can't get anything through the net.

(BTW, I used to have Norton ANti-Virus, ac opy I bought a couple of months ago at Best Buy, and it created lots of probelms, so I stopped it.)

As soon as I can connect again, I will dowload which ever anti-virus software you suggest, and I will gladly pay for it. Perhaps McAfee? It's what this PC has.

I ran HJT again and these are the results:
Logfile of HijackThis v1.98.2
Scan saved at 10:27:18 PM, on 8/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {0A2608A2-F8AB-4C0F-8C3C-093C79A4DF57} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O18 - Filter: text/html - {A2B52B71-584B-4C19-B6A4-08FE74CD7007} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL

I really appreciate your help!
Alex

 

Set Windows to Show Hidden Files and Folders

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL

RESTART your computer and then delete this folder
C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI <<the Pribi folder,if it exists

You look like you have a hidden installer, try this

GoTo:
Start>run>Type:

msinfo32

*Expand: "Software Environment "
*Expand: "System hooks "
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

NEXT: Also to help Identify the hidden .dll
Download STARTDRECK===Just over 330 kb
http://members.blackbox.net/hp_links/21/nikolaus.rameis/_data/startdreck.zip
Unzip it to it's own folder on infected machine

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Well your at it----could you also go to FAL's site
and download
Win98Fix.zip
About 98kb---don't let the name win98fix confuse you
Don't run this yet, you will need it however if the hidden installer is identified..

 

Thanks Indmusic,
I'll try that as soon as I get home 2nite.
Alex

 

You need to visit Windows Update. Scan for updates and accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

 

Indmusic:

So far this is what I have been able to do:
======================================
DONE = Set Windows to Show Hidden Files and Folders

DONE = Do another Scan with Hijackthis and put a check next to these entries and then FIX CHECKED when ALL other windows are closed
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI\PRIBI.DLL

DONE = RESTART your computer and then delete this folder
C:\WINDOWS\ALL USERS\APPLICATION DATA\PRIBI <<the Pribi folder,if it exists (YES, IT DID)

You look like you have a hidden installer, try this

DONE = GoTo:Start>run>Type:msinfo32
DONE = *Expand: "Software Environment "
CAN "T >> *Expand: "System hooks" (DON'T HAVE "System Hooks ")
===============================

I did look at other stuff under "Software Environment" and saw a module, "BHPIEDA.DLL" with a date of 9 Aug 04 which is when the problem started. It has 'UNAVAILABLE" version, and resides in 'Win\Sys'. I tried to delete it, but I couldn't because "Windows is using it ".

Also, everytime I run a program, I now get an error message:
XXXprogram has caused an error in IPHLPAPI.DLL, and the XXXprogram will now close. Funny thing, I get this error message when I start some programs, but they continue to run fine.

1. Shouldn't I have System Hooks?
2. Should I delete BHPIEDA.DLL, and if yes, how?
3. Should I do the other stuff you recommended even if I can't access the "System Hooks "?

BTW, I haven't tried to start the IE yet today...

Thanks -

Alex

 

Here is some more on Adware.Fastfind (PRIBI.DLL). You might want to remove the additional stuff that Symantec suggests.

2. Should I delete BHPIEDA.DLL, and if yes, how?
Get a program called MoveOnBoot (the download will fit on a floppy) and after you install it you will have a new right-click option to delete files on next reboot. Highlight the .dll, right-click and select that then OK. It will go away when you next reboot your PC.

As to the rest of the hidden stuff that is giving you problems, I'll be as interested as you to see the suggested fix since it's beyond me.

 

You need to back up a step and download the programs I asked of you
Ingenerio

Let's make sure we got the right one, sounds like you nailed it
but we need the other program to veryify it and the win98fix to reveal it


"NEXT: Also to help Identify the hidden .dll
Download STARTDRECK===Just over 330 kb
http://members.blackbox.net/hp_link.../startdreck.zip
Unzip it to it's own folder on infected machine

run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

 

I proceeded to load and run MoveOnBoot and it worked!!!!! - - It got rid of BIEHPIEDA.DLL and now I am able to run IE (I am actually using my very own PC right now!!!! )

I also ran Ad-Aware and it found 10 objects (& removed), and SpyBot found the usual DSO.

The first time I started IE after removing BIEHPIEDA.DLL, the homepage still was 'about.blank', but I was able to change it to 'Google' and it stayed.

I dumped all the cookies and temp files,rebooted, and it seems to be running fine. However, I still get the annoying 'error' notice, but it doesn't seem to affect anything. Is uspect I must have deleted a required file along the way.

Now that it is running OK (at least rather operational), what do you recommend I do next?

Also, what anti-virus or other protection software do you recommend? As I said earlier, I have Norton AntiVirus 2004, which I bought at the store, but it interfered with several programs, so I disabled it.

Thanks!

Alex

 

Post the log from the tool indmusic suggested, Its needs to be done that way he suggested, then in another reply post a new hijackthis log to.

 

OK Lonny,

Will gladly do so as soon as I get home tonight -

Alex

 

The StartDreck file:
StartDreck (build 2.1.7 public stable) - 2004-08-12 @ 16:47:33 (GMT -05:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*Adaptec DirectCD=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*CreateCD=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*MDM7= "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**xzkm=rundll32 C:\WINDOWS\SYSTEM\WDM.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile= "%1" %*
+.com
*comfile= "%1" %*
+.disabled
*SpybotSD.DisabledFile= "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1 "
+.exe
*exefile= "%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile= "C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile= "C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile= "%1" %*
+.reg
*regfile=regedit.exe "%1 "
+.scr
*scrfile= "%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*{0A2608A2-F8AB-4C0F-8C3C-093C79A4DF57}
`InprocServer32=C:\WINDOWS\SYSTEM\BHPIEDA.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\winstart.bat
*C:\WINDOWS\command\cmdinit.bat
»System/Drivers
»Running Processes
+FF0F6C89=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFAA69=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE0BA9=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE01ED=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE5171=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
+FFFE8BD5=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE9491=C:\WINDOWS\RUNDLL32.EXE
+FFFECEA5=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFD7A61=C:\WINDOWS\EXPLORER.EXE
+FFFC1349=C:\WINDOWS\TASKMON.EXE
+FFFDC7F9=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC2E59=C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
+FFFCA6ED=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
+FFFA28CD=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFFA31B9=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFB2591=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
+FFF934F5=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFF8971D=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF7E7B1=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF938A5=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF5620D=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
»NT Services
»Application specific

Will post a new HIGHJACKTHIS next -

Alex

 

The HIGHJACKTHIS log:
---------------------------
Logfile of HijackThis v1.98.2
Scan saved at 4:52:38 PM, on 8/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {0A2608A2-F8AB-4C0F-8C3C-093C79A4DF57} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O18 - Filter: text/html - {A2B52B71-584B-4C19-B6A4-08FE74CD7007} - C:\WINDOWS\SYSTEM\BHPIEDA.DLL

----------------------------------

Anything harmful anywhere?

As far as operational... so far so good!

thanks -

Alex

And now out to eat w/my wife to celebrate our 39th wedding anniversary. Am I old? Well, just 58, but old enough that when I started with computers all the programming was in assembly language, and I started with 4-bit, then 8-bit, then 16-bit processors, but never had the joy of assembly-programming a 32-bit or higher processor. Then I graduated to DOS and Unix... Win2.0 (limited) Win 3.0 (not very good), Win 3.1 (much better) and even Beta-tested Windows 95, ...Oh well - now I don't know very much... but you are here to help! THANKS GUYS!!!!

 

Oh, Oh!

Now, after running IE for a while a visiting several sites that have been 'safe', all of a sudden the home page reverted to about:blank!! and one add poped-up. Fortunately that was it, and I was able to change the home page setting. A while later, it changed againto about:blank, but no pop-ups. Again, I changed it to google, and it is staying....

I searched for any new (one day) .dll files and did not find BHPIEDA.DLL but found EID.DLL in win\sys... I suspect (maybe wrongly) that some of the bad files have random names, so what BHPIEDA.DLL was doing may well be done under a different name.

I tried to remove EID.DLL and couldn't. Should I remove it using MoveOnBoot?

Anyway, here is a new HIGHJACKTHIS log:
Logfile of HijackThis v1.98.2
Scan saved at 9:03:45 PM, on 8/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B363A68A-EDAF-419D-AA65-FA79C50E3CB0} - C:\WINDOWS\SYSTEM\EID.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O18 - Filter: text/html - {D6A2BB61-1D18-4AEB-AB27-836D3893B350} - C:\WINDOWS\SYSTEM\EID.DLL
O18 - Filter: text/plain - {D6A2BB61-1D18-4AEB-AB27-836D3893B350} - C:\WINDOWS\SYSTEM\EID.DLL

thanks -
Alex

(had a very nice dinner...)

 

Well, I went ahead and removed EID.DLL with MoveOnBoot, as it was the 'new' module running according to MSINFO32. That cured it. But what loaded it?

Alex