Community Forum

internet explorer problem (Hijackthis log)

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Highlighted
New Poster

internet explorer problem (Hijackthis log)

Recieving the error message "internet explorer has encountered a problem and must close, we are sorry for the inconvenience" at random times. Please help


Logfile of HijackThis v1.98.2
Scan saved at 9:49:34 PM, on 10/6/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\Help\starter\keywms.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\DVDIDL~1\DVDIdlePro.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\9FFBHPSE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - (no file)
O2 - BHO: CATLEvents Object - {44E5B409-35A2-4E8D-BF94-344222323A53} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\smwyek.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: C:\WINDOWS\Help\starter\keywms.exe
O4 - HKLM\..\Run: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: C:\WINDOWS\Help\starter\keywms.exe rerun
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73542A19-A649-426F-811E-EA2BD5B2EED1}: NameServer = 205.188.146.146
Problem Solver

Re: internet explorer problem (Hijackthis log)

first run spybot s@d you have a adware
next on hijackthis check all that have (no file) or (missing file)at end and have hijackthis fix it.
Valued Contributor

Re: internet explorer problem (Hijackthis log)

Anon,

1. Please click on the "Settings" link above and assign yourself a forum name. Do not use you real name or e-mail name.

2. Very Important!!! Please create a permanent folder for HijackThis (I suggest "C:\Program Files\HijackThis") and move the HijackThis program there. HijackThis will create a number of backup files which will be lost if run from a temporary folder.

3. If you have not already, please dwonload, install, and update LavaSoft's Ad-aware. It will be used later.

4. Reboot into Safe Mode - How do I boot into "Safe" mode?

5. Make sure your Windows Explorer Folder Settings are as follows:

(To access them, go "Tools" > "Folder Options" > "View")

a. "Show hidden files and folders" should be checked.
b. "Hide extensions for known file types" should be unchecked.
c. "Hide protected operating system files" should be unchecked.

6. Make sure all application windows are closed. Run another HijackThis scan from its permanent location. Check the below items for removal. Once all are checked, click the "Fix checked" button. When the fix completes, close HijackThis.

Fix these items:
-------------------------------------------------------

---> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

---> R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

---> R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

---> R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

---> O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

---> O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

---> O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - (no file)

---> O2 - BHO: CATLEvents Object - {44E5B409-35A2-4E8D-BF94-344222323A53} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\smwyek.dat

---> O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - (no file)

---> O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - (no file)

---> O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

---> O4 - HKLM\..\Run: C:\Program Files\Windows SyncroAd\SyncroAd.exe

The following program (keywms.exe) is suspect. I cannot find any information on it. Please right-click on it, bring up its "Properties" > "Version", determine who created it and whether it is legitimate. If you determine this is not a good program, remove these lines.
-------------------------------------------------------
---> O4 - HKLM\..\Run: C:\WINDOWS\Help\starter\keywms.exe
---> O4 - HKLM\..\RunOnce: C:\WINDOWS\Help\starter\keywms.exe rerun
--------------------------------------------------------

---> O4 - HKLM\..\Run: "C:\Program Files\Web_Rebates\WebRebates0.exe"

---> O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

---> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

---> O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

-------------------------------------------------------


7. While still in "Safe Mode", remove the following files/folders:

a. The folder "MyWay" in "C:\Program Files".

b. The file "smwyek.dat" in "C:\DOCUME~1\Kevin\LOCALS~1\Temp". You might want to clean out files in that "Temp" folder altogether.

c. The folder "Windows SyncroAd" in "C:\Program Files".

d. The folder "Web_Rebates" in "C:\Program Files".

e. The folder "starter" in "C:\WINDOWS\Help" if you determined that "keywms.exe" is not a good program.


8. Run a "Full Custom" scan with Ad-aware and let it fix anything it finds. "How do I do a Full Custom" scan.


9. Reboot your computer into Normal Mode and run another HijackThis scan. Post the new log here.
New Poster

Re: internet explorer problem (Hijackthis log)

Logfile of HijackThis v1.98.2
Scan saved at 9:49:08 PM, on 10/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\Config\pslib.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {FD8609EC-7D7C-4778-AB8F-0053245550EF} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\bilsp.dat
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: C:\WINDOWS\Help\starter\keywms.exe
O4 - HKLM\..\Run: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe
O4 - HKLM\..\RunOnce: C:\WINDOWS\Config\pslib.exe rerun
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
Valued Contributor

Re: internet explorer problem (Hijackthis log)

Bubba,

New malware entries have appeared that you need to get rid of. It appears that this hijacker is morphing. I am assuming you determined that "keywms.exe" was bad. One line with it still exists. Two new entries very similar to it have appeared.

1. Please go back to "Safe Mode" and remove these entries unless you know these are good:

---> O2 - BHO: CATLEvents Object - {FD8609EC-7D7C-4778-AB8F-0053245550EF} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\bilsp.dat

---> O4 - HKLM\..\Run: C:\WINDOWS\Help\starter\keywms.exe

---> O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe

---> O4 - HKLM\..\RunOnce: C:\WINDOWS\Config\pslib.exe rerun


2. While in "Safe Mode", remove these files:

a. Everything in your "C:\Documents and Settings\Kevin\Local Settings\Temp" folder.

b. The file "pslib.exe" in "C:\WINDOWS\Config"

c. I assume you removed the folder "starter" in "C:\WINDOWS\Help". This folder contained the "keywms.exe" file.


3. Reboot into normal mode and run another HijackThis scan.
New Poster

Re: internet explorer problem (Hijackthis log)

It will not show me the files in my Windows\config folder in either safe or normal mode. I searched for pslib and found "pslib.exe-2641ce5b.pf" in C:\WINDOS\Prefetch
should I remove this?

Logfile of HijackThis v1.98.2
Scan saved at 8:23:01 AM, on 10/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\Config\pslib.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {FD8609EC-7D7C-4778-AB8F-0053245550EF} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\bilsp.dat
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe
O4 - HKLM\..\RunOnce: C:\WINDOWS\Config\pslib.exe rerun
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
New Poster

Re: internet explorer problem (Hijackthis log)

And yes I had already removed the file "starter" in "C:\WINDOWS\Help". This folder contained the "keywms.exe" file. I had no idea what this file was.
New Poster

Re: internet explorer problem (Hijackthis log)

And yes I had already removed the file "starter" in "C:\WINDOWS\Help". This folder contained the "keywms.exe" file. I had no idea what this file was.
Valued Contributor

Re: internet explorer problem (Hijackthis log)

Bubba,

Except for the keywms.exe, everything else is still there. Lets try this again.

1. Reboot into Safe Mode - How do I boot into "Safe" mode?

2. Make sure your Windows Explorer Folder Settings are as follows:

(To access them, go "Tools" > "Folder Options" > "View")

a. "Show hidden files and folders" should be checked.
b. "Hide extensions for known file types" should be unchecked.
c. "Hide protected operating system files" should be unchecked.


3. Make sure all application windows are closed. Run another HijackThis scan from its permanent location. Check the below items for removal. Once all are checked, click the "Fix checked" button. When the fix completes, close HijackThis.

Fix these items:
-------------------------------------------------------

---> O2 - BHO: CATLEvents Object - {FD8609EC-7D7C-4778-AB8F-0053245550EF} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\bilsp.dat

---> O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe

---> O4 - HKLM\..\RunOnce: C:\WINDOWS\Config\pslib.exe rerun

-------------------------------------------------------


4. While in "Safe Mode", remove these files:

a. Everything in your "C:\Documents and Settings\Kevin\Local Settings\Temp" folder.

b. The file "pslib.exe" in "C:\WINDOWS\Config"


5. Reboot into normal mode and run another HijackThis scan.
New Poster

Re: internet explorer problem (Hijackthis log)

Logfile of HijackThis v1.98.2
Scan saved at 9:19:03 PM, on 10/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\Config\pslib.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {FD8609EC-7D7C-4778-AB8F-0053245550EF} - C:\DOCUME~1\Kevin\LOCALS~1\Temp\bilsp.dat
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe
O4 - HKLM\..\RunOnce: C:\WINDOWS\Config\pslib.exe rerun
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

It says on Config folder that is cannot delete pslib, access is denied make sure the disk is not full or write protected and that it is not in use

In the Temp file, there is a bilsp.dat file it says, cannot delete bilsp, it is being used by another person or program... no other programs were running
Valued Contributor

Re: internet explorer problem (Hijackthis log)

Bubba,

Are you trying to remove these while in "Safe Mode"? They should not be running if you try to remove them in "Safe Mode". The other possibilty is that there might be some security properties assigned to these files. If it is failing in "Safe Mode" then lets try another method.

1. Bring up a DOS (Command) Prompt.

2. Go to the \Windows\Config folder by using this command:

cd \Windows\Config

3. Then execute this comand:

attrib pslib.exe

4. Also run this command:

cacls pslib.exe

5. Repeat this for the file "bilsp.dat".

a. Go to your user Temp folder:

cd "\Documents and Settings\Kevin\Local Settings\Temp"

b. Repeat steps 3 and 4 for "bilsp.dat" in place of "pslib.exe".

6. Hilight everything in the DOS window and hit the <Enter> key.

7. Start a reply to this post and paste what was saved from the DOS Window.
New Poster

Re: internet explorer problem (Hijackthis log)

Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kevin>
C:\Documents and Settings\Kevin>cd \Windows\Config

C:\WINDOWS\Config>attrib pslib.exe
H C:\WINDOWS\Config\pslib.exe

C:\WINDOWS\Config>cacls pslib.exe
C:\WINDOWS\Config\pslib.exe KEVIN-BI12ZZRL6\Kevin:F
NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F


C:\WINDOWS\Config>cd "\Documents and Settings\Kevin\Local Settings\Temp"

C:\Documents and Settings\Kevin\Local Settings\Temp>cd "\Documents and Settings\
Kevin\Local Settings\Temp"

C:\Documents and Settings\Kevin\Local Settings\Temp>sttrib bilsp.dat
'sttrib' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Kevin\Local Settings\Temp>attrib bilsp.dat
SH C:\Documents and Settings\Kevin\Local Settings\Temp\bilsp.dat

C:\Documents and Settings\Kevin\Local Settings\Temp>cacls bilsp.dat
C:\Documents and Settings\Kevin\Local Settings\Temp\bilsp.dat KEVIN-BI12ZZRL6\Ke
vin:F
NT AUTHORITY\SYSTE
M:F
BUILTIN\Administra
tors:F


C:\Documents and Settings\Kevin\Local Settings\Temp>
C:\Documents and Settings\Kevin\Local Settings\Temp>
Valued Contributor

Re: internet explorer problem (Hijackthis log)

OK Bubba,

Now we are getting somewhere:

1. Go into "Safe Mode" again and again bring up a DOS (Command) prompt window.

2. Go to the Windows\Config folder:

cd \Windows\Config

3. Enter these commands:

attrib -h pslib.exe

del pslib.exe


4. Then go to your User folder:

cd "\Documents and Settings\Kevin\Local Settings\Temp"

5. Enter these commands:

attrib -h -s bilsp.dat

del bilsp.dat


6. If this works, then run HijackThis and remove those three items I indicated above containing those files.

7. Reboot into Normal Mode, run another scan and post the latest log.
New Poster

Re: internet explorer problem (Hijackthis log)

Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kevin>cd \Windows\Config

C:\WINDOWS\Config>attrib -h pslib.exe

C:\WINDOWS\Config>del pslib.exe
C:\WINDOWS\Config\pslib.exe
Access is denied.

C:\WINDOWS\Config>cd "\Documents and Settings\Kevin\Local Settings\Temp"

C:\Documents and Settings\Kevin\Local Settings\Temp>attrib -h -s bilsp.dat

C:\Documents and Settings\Kevin\Local Settings\Temp>del bilsp.dat
C:\Documents and Settings\Kevin\Local Settings\Temp\bilsp.dat
The process cannot access the file because it is being used by another process.

C:\Documents and Settings\Kevin\Local Settings\Temp>
Valued Contributor

Re: internet explorer problem (Hijackthis log)

You did do this in "Safe Mode"?
New Poster

Re: internet explorer problem (Hijackthis log)

Yes it was in safe mode, and there were no other files or even windows open at the time
Valued Contributor

Re: internet explorer problem (Hijackthis log)

This is getting downright frustrating!!! Ok, lets try this:

1. In normal mode. bring up a DOS window again and issue a straight "attrib" command for each file within its folder:

attrib pslib.exe

and

attrib bilsp.dat

2. See if the Hidden and System attributes have been removed:

a. "pslib.exe" was showing the "Hidden" attribute:

H C:\WINDOWS\Config\pslib.exe

b. "bilsp.dat" was showing both "Hidden" and "System" attributes:

SH C:\Documents and Settings\Kevin\Local Settings\Temp\bilsp.dat

3. If these attributes still exist, remove them with the "attrib" command as we did before using the "-h" parameter for "pslib.exe" and "-h -s" parameters for "bilsp.dat"

4. Run the straight "attrib" command again for each file and see if the special attributes are now gone. If they are, reboot again into "Safe Mode" and choose "Safe Mode With Command Prompt". Try to delete them again with the "del" command.

5. If none of this works, do you have an original WinXP Installation CD (not a restore CD as some companies give you)?
New Poster

Re: internet explorer problem (Hijackthis log)

Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kevin>cd \windows\config

C:\WINDOWS\Config>attrib pslib.exe
C:\WINDOWS\Config\pslib.exe

C:\WINDOWS\Config>cd "\Documents and Settings\Kevin\Local Settings\Temp"

C:\Documents and Settings\Kevin\Local Settings\Temp>attrib bilsp.bat
File not found - bilsp.bat

C:\Documents and Settings\Kevin\Local Settings\Temp>
New Poster

Re: internet explorer problem (Hijackthis log)

Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kevin>cd "\Documents and Settings\Kevin\Local Settings
\Temp"

C:\Documents and Settings\Kevin\Local Settings\Temp>attrib bilsp.dat
C:\Documents and Settings\Kevin\Local Settings\Temp\bilsp.dat

C:\Documents and Settings\Kevin\Local Settings\Temp>
New Poster

Re: internet explorer problem (Hijackthis log)

Logfile of HijackThis v1.98.2
Scan saved at 3:32:01 AM, on 10/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab




Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kevin>cd \windows\config

C:\WINDOWS\Config>attrib pslib.exe
File not found - pslib.exe

C:\WINDOWS\Config>

the file seems to be gone all together now except I see Hijacker still finds it, I ran a search and found "pslib.exe-2641CE5B.pf" under c:\WINDOWS\Prefetch
Should this be removed?
Valued Contributor

Re: internet explorer problem (Hijackthis log)

You did not mention if you tried to delete them. If the deletes failed again, try this before we have to get desperate.

1. Reboot again into "Safe Mode" and choose "Safe Mode With Command Prompt".

2. Go to the folder containing pslib.exe and rename the file:

ren pslib.exe satan1.bad

3. Go to the folder containing bilsp.dat and rename the file:

ren bilsp.dat satan2.bad

4. Reboot again into "Safe Mode" and choose "Safe Mode With Command Prompt".

5. Go to the folders containing the renamed files and use the del command to delete them.

del satan1.bad (in "\WINDOWS\Config")

del satan2.bad (in "\Documents and Settings\Kevin\Local Settings\Temp")

6. Reboot again into Normal Mode and let me know if the deletes worked.
New Poster

Re: internet explorer problem (Hijackthis log)

I did try to delete them from the safe mode command prompt, it appeared to work there
Valued Contributor

Re: internet explorer problem (Hijackthis log)

DISREGARD MY PREVIOUS POST. I was working on it before you made your latest post.

1. Have HijackThis remove this line:

---> O4 - HKLM\..\Run: C:\WINDOWS\Config\pslib.exe

2. Run another log and see if everything is now clean.

3. You can remove the Prefetch file. Windows XP uses these to load programs faster. XP would eventually remove it once it no longer is being run.
New Poster

Re: internet explorer problem (Hijackthis log)

Logfile of HijackThis v1.98.2
Scan saved at 3:57:38 AM, on 10/9/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Did we do it?
New Poster

Re: internet explorer problem (Hijackthis log)

what about these lines?

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
Valued Contributor

Re: internet explorer problem (Hijackthis log)

Wonderful. You look clean as a whistle. Enjoy!!!
Valued Contributor

Re: internet explorer problem (Hijackthis log)

Those lines are ok. They are a little quirk in HijackThis.
New Poster

Re: internet explorer problem (Hijackthis log)

Sweet! I definitely appreciate all of your help and patience with me. Thank you so much
Valued Contributor

Re: internet explorer problem (Hijackthis log)

No problem. I think its bedtime for me.
New Poster

Re: internet explorer problem (Hijackthis log)

I hear ya there! LOL Have a good one