127021.exe ???

If you have all ready run ALL steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem, follow the steps below properly and post your HijackThis log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Oh! And right now our download pages are not working so you will need to get HijackThis from:
http://www.merijn.org/files/hijackthis.zip

 

Is that log from safe boot mode or are you filtering stuff out? Things seem to be missing from the process list.

 

None of your TrendMicro antivirus or firewall apps appear to be running?

 

I'm sorry! I guess I did not state what I meant very clearly. I did want a log from normal boot not safe boot. It just look like things are missing that should be running. You last log was from safe mode right.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\STLinks <--- the whole folder


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I don't think your Trend Micro stuff is working anymore. You should uninstall it using Add/Remove programs and then reboot and reinstall it (do this with no internet connection available). If this does not get it running again (you should see its processes running in HJT's process list), then you may need to uninstall it again and follow the steps in this link: How to Protect yourself from malware!

And do the steps in that thread. Make sure you put in a firewall. Try the free Sygate one.
And try Avast as a antivirus application.

Again only put in Sygate and Avast if you cannot get your Trend Micro stuff to run.

Let's clean the current problems again:
If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0002_ho
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0002_ho
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\STHomePage <-- the whole folder
C:\Program Files\STLinks <-- the whole folder
C:\Program Files\0CAT YellowPages <-- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
Let me know if you have any problems finding or deleting those folders.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Okay! So why does your log now finally look like it is from normal boot mode. Remember earlier I ask that question. Look at all the processes that show now. Why is it so dfferent now?

Can you delete 127057.exe from safe mode?

 

Try doing the fixes we did earlier on it again. But this time do them from safe mode with no physically connection (unplug cable) to the internet available. Also see if the 127057.exe file will delete now. If it will not delete, try renaming it to 127057.bad Let me know if that works.

Then reboot in normal mode (do not plug your cable in yet). Then check your HJT log. Is Ocat back? If not, open and close a couple browser sessions. Check another HJT log. Is Ocat back now? If not, plug in your cable and browse to MG's. Then exit your browser. Is Ocat back now?

After the above, come back and answer all my questions and if it came back tell me exactly when it came back.