Calc/Packager Error

Pete Da Heat · Mar 10, 2005

Everytime i boot up, a Calc : This Program has performed an illegal operation and will be shutdown prompt comes up. I click close, and another Calc or a Packager one will come up. I have search through yahoo to try and rectify this, to no avail. Will somebody help me out, please? Im running a <a style='text-decoration: none; border-bottom: 3px double;' href="http://www.serverlogic3.com/lm/rtl3.asp?si=23&k=windows%2098%20se" onmouseover="window.status='windows 98 se'; return true;" onmouseout="window.status=''; return true;">windows 98 se</a> system. It wont go away, and is still present right now. I cant bring up a crtl alt delete screen because of it, and i cant run Ad Aware unless i boot in safe mode. Spy Bot does work tho. Any thing I can do?

Thanks a million,
Peter Keeling

chaslang · May 16, 2005

I'm not sure this is a spyware problem but if you think it is, follow the steps below. Also, please do not paste in info like you did into your message. It is not legible.

To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Pete Da Heat · Mar 10, 2005

i didnt mean to have that text with the Windows 98 se thingy, but when i edited my text, it came up like that by it self.

ok, so i did all the steps that I could. I was unable to run Ad-aware because the error message will not allow it to open.

Attached is my HJT log.

Let me know what to do.

chaslang · Mar 10, 2005

Pete Da Heat said:

i didnt mean to have that text with the Windows 98 se thingy, but when i edited my text, it came up like that by it self.

ok, so i did all the steps that I could. I was unable to run Ad-aware because the error message will not allow it to open.

Attached is my HJT log.

Let me know what to do.
Click to expand...

Looks to me like there was more than just Ad-Aware that you did not run. What is the error message? You also did not run the online scanners. What else did you and did you not run?

You have a load of trojans. Some of these should have been detected and fix by the procedure.

Did you at download all the current tools from our links? Did you update them?

chaslang · Mar 11, 2005

Go to Control Panel, Add/Remove Programs and look for any of the below and uninstall if found:

SED
TV Media
Maxspeed
CXTPLS
Autoupdate
Apropos or AproposClient
Wildtangent

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\TEMP\RPPCZ8.EXE
C:\WINDOWS\TEMP\P5.EXE
C:\WINDOWS\SYSTEM\FBFPNG.EXE
C:\WINDOWS\SYSTEM\HGB5XKLAG.EXE
C:\WINDOWS\SYSTEM\UWZPC.EXE
C:\WINDOWS\XHRMY.EXE
C:\WINDOWS\SYSTEM\PKPCONFG.EXE
C:\WINDOWS\APPLICATION DATA\MSSS.EXE
C:\WINDOWS\SYSTEM\QKQXLTX.EXE
C:\WINDOWS\SYSTEM\UWZPC.EXE
C:\WINDOWS\SYSTEM\CYF0O5.EXE
C:\WINDOWS\SYSTEM\NOTKBVN2.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINDOWS\SYSTEM\LMF32V.DLL
O2 - BHO: (no name) - {F9414E67-A78D-CC62-F679-F85AC77140C1} - C:\WINDOWS\SYSTEM\KBLEBARA.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Rppcz8] C:\WINDOWS\TEMP\RPPCZ8.EXE
O4 - HKLM\..\Run: [P5] C:\WINDOWS\TEMP\P5.EXE
O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APPD165.TMP
O4 - HKLM\..\Run: [2LSKLA557L3#K2] C:\WINDOWS\SYSTEM\XfyH.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [fbfpng] c:\windows\system\fbfpng.exe
O4 - HKLM\..\Run: [HGB5XKLAG] C:\WINDOWS\SYSTEM\HGB5XKLAG.EXE
O4 - HKLM\..\Run: [Uwzpc.exe] C:\WINDOWS\SYSTEM\UWZPC.EXE
O4 - HKLM\..\Run: [xhrmy] C:\WINDOWS\Xhrmy.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [5b9a7c642878] C:\WINDOWS\SYSTEM\DPWSOCKX.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
O4 - HKCU\..\Run: [YwrsRTd7X] PKPCONFG.EXE
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [Smoc] C:\WINDOWS\Application Data\msss.exe
O4 - HKCU\..\Run: [Udpg] C:\WINDOWS\SYSTEM\qkqxltx.exe
O4 - HKCU\..\RunServices: [cvchost] c:\windows\svchost.exe
O4 - HKCU\..\RunServices: [YwrsRTd7X] PKPCONFG.EXE
O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\RunServices: [Smoc] C:\WINDOWS\Application Data\msss.exe
O4 - HKCU\..\RunServices: [Udpg] C:\WINDOWS\SYSTEM\qkqxltx.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O18 - Filter: text/html - {DFAA31C8-A356-4313-9D95-5EDAB46C5070} - C:\WINDOWS\SYSTEM\LMF32V.DLL

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\CXTPLS_LOADER.EXE
C:\WINDOWS\SYSTEM\SearchBar.htm
C:\WINDOWS\TEMP\RPPCZ8.EXE
C:\WINDOWS\TEMP\P5.EXE
C:\WINDOWS\SYSTEM\FBFPNG.EXE
C:\WINDOWS\SYSTEM\HGB5XKLAG.EXE
C:\WINDOWS\SYSTEM\UWZPC.EXE
C:\WINDOWS\XHRMY.EXE
C:\WINDOWS\SYSTEM\PKPCONFG.EXE
C:\WINDOWS\APPLICATION DATA\MSSS.EXE
C:\WINDOWS\SYSTEM\QKQXLTX.EXE
C:\WINDOWS\SYSTEM\UWZPC.EXE
C:\WINDOWS\SYSTEM\CYF0O5.EXE
C:\WINDOWS\SYSTEM\NOTKBVN2.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\TEMP\APPD165.TMP
C:\WINDOWS\SYSTEM\XfyH.exe
C:\WINDOWS\FARMMEXT.exe
C:\WINDOWS\SYSTEM\DPWSOCKX.exe
C:\WINDOWS\SYSTEM\maxspeed.exe
C:\WINDOWS\SYSTEM\LMF32V.DLL
C:\WINDOWS\IEHR.DLL
C:\WINDOWS\SYSTEM\KBLEBARA.DLL
C:\PROGRAM FILES\TV MEDIA <--- the whole folder
C:\PROGRAM FILES\SEP <--- the whole folder
C:\PROGRAM FILES\AUTOUPDATE <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

Try running the below scanners now from safe mode and clean whatever they find:
Ad-Aware SE
Spybot S&D

Now run Ccleaner that you installed while executing the READ FIRST steps!

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Pete Da Heat · Mar 11, 2005

Hey,
Thanks sooooooo much for all your work. The calc/packager prompt is gone. I still have about:blank and some popups, but its not nearly as bad as it was before. My computer functions now, which is good.

Attached is my new log.

chaslang · Mar 11, 2005

I had not notice earlier but you did not follow my directions in message # 2:

- Download HijackThis 1.99.1

post a new log using it.

Pete Da Heat · Mar 12, 2005

very sorry about that.

here is the new log.

chaslang · Mar 12, 2005

You must remember that ALL browsers must ALWAYS be shut down before using HijackThis. You had the below running:
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

If you do not exit browsers, we will have problems fixing some of your malware issues.

Hmmm! I thought I had you fix and delete the below last time:
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE

Did you have a problem finding and deleting them

chaslang · Mar 12, 2005

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\DMSPROP.EXE
C:\WINDOWS\SYSTEM\DS1UPWBV.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {F9414E67-A78D-CC62-F679-F85AC77140C1} - C:\WINDOWS\SYSTEM\KBLEBARA.DLL (file missing)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [p78i33R] DS1UPWBV.EXE
O4 - HKCU\..\Run: [YwrsRTd7X] DMSPROP.EXE

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\PROGRAM FILES\AUTOUPDATE <--- the whole folder
C:\WINDOWS\SYSTEM\DMSPROP.EXE
C:\WINDOWS\SYSTEM\DS1UPWBV.EXE
C:\PROGRAM FILES\CXTPLS <--- the whole folder
C:\WINDOWS\TEMP\SE.DLL <--- this one may require a boot to MS-DOS prompt to delete.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. You must tell me if you cannot find any of the above or you cannot delete them.

Now Ccleaner from the READ ME FIRST

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Log in or Sign up

Calc/Packager Error

Pete Da Heat Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Pete Da Heat Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Pete Da Heat Private E-2

Attached Files:

hijackthisnewlog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Pete Da Heat Private E-2

Attached Files:

hijackthisnewerlog.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member