Iexplore has caused an error in CAKE SKIP.exe in MS Win ME - the story continues

I am having stability problems with my Windows ME
machine. It sometimes needs to be restarted 3 or four
times before it boots up properly and most recently, even
when loading correctly, frequently displays the message:

Iexplore has caused an error in CAKE SKIP.exe. Lexplore
will now close.

This message can be displayed several times whilst the PC runs ok. Eventually, the PC either reboots itself, blue screens or hangs.

IE also hijacked with http:/searchweb2.com/passthrough/index.html?

The PC is a 1 GHz AMD PC with 512 mb RAM.

I started a thread in the Software area, got some good advice, folks thought I may have some spyware, virus or trojan. Pointed me at the READ ME FIRST for this group and suggested I started a new thread if problems persisted.

I followed the guide:

Preparation:
1. Windows updated ok
2. disabled system restore
3. Network security service - couldn't Start,Run services.msc
4. enabled viewing of hidden files etc
5. booted in safe mode

Do it:
1. Ran Sophos Antivirus (up to date). Found 2 virus fragments - mid/KaKworm - in two mail boxes. Not deleted.
2. ran CCleaner
3. Ran Ad-aware including VX2 plug-in - found nothing except a couple of data miners - removed.
4. Ran CWShredder - found 4 infected IE files - deleted.
5. Ran Kill2me - no problems
6. Ran about:buster - nothing

Problems are still there.

Help would be appreciated.

 

Run an online antivirus check from 3 of the following sites::
Be sure and put a check in the box by AUTO CLEAN before you do the scan If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
http://housecall.trendmicro.com/
http://security.symantec.com/default.asp
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www.anti-trojan.net/en/onlinecheck.aspx
http://www.windowsecurity.com/trojanscan/
Make sure autoclean is enabled on the scans

Get a2 and register this freeware:
http://www.download.com/3000-2239-1...page&tag=button

Disable System Restore:
http://www.pchell.com/virus/systemrestore.shtml

Boot in safe mode: http://service1.symantec.com/SUPPOR...01052409420406/

Disconnect from the internet and physically unplug cable if DSL or Cable.

Then do this:
Show Hidden Files and Operating System Files, etc.; follow step by step:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Try running AdAware in safe mode --- Make sure you've already gotten the latest UPDATES (Open, then press the Check for Updates button) and apply the following settings:
This is a link on how to run it --- http://www.lavahelp.net/howto/fullscan/index.html --- OR You can use the instructions here:
Click on START -- custom scanning options -- Customize.
Check the following settings:
Scan within archives
Scan active processes
Scan registry
Deep scan registry
Scan my IE Favorites for banned URL
Scan my host-file
Click on TWEAK:
Select -- Scanning Engine
Check "Unload recognized processes during scanning"
Check "Include additional Adaware settings in LogFile"
Select -- Cleaning Engine
Check "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"
Then click "proceed" to save your settings.
Click on Next then SCAN. Everything AdAware finds is safe to delete.

Run SpyBot Search and Destroy --- Make sure you have already gotten the latest UPDATES (Open, then Search for Updates button)
This is where you get SpyBot --- http://www.majorgeeks.com/download2471.html

RUN a2

ENABLE SYSTEM RESTORE

REBOOT AGAIN, NORMAL MODE not safe mode and HIDE YOUR FILES to where they were previously.

Reconnect to Internet

Download Microsofts Critial Updates and Patches:
http://v4.windowsupdate.microsoft.com/en/default.asp

Fix these:::::::
Removing ActiveX Controls if need be:
http://support.microsoft.com/default.aspx?kbid=154850

You have to check your settings and fix your ActiveX Controls:
http://www.jfitz.com/tips/ie_security_config.html

Then ATTACH a HJT log so we can fix what's left:::
Don't put the HJT PROGRAM in Temporary, put it in Programs -- Also be sure you have already gotten the latest Updates/Versions (Open, Config, then MiscTools, and Check for Updates)
This is where you get HJT --- http://www.majorgeeks.com/download3155.html
This is the way to post your log::
http://forums.majorgeeks.com/showthread.php?t=35407

 

ok.

Followed instructions the best I could

Run an online antivirus check from 3 of the following sites::
http://security.symantec.com/default.asp - found nothing
http://www.pandasoftware.com/activescan/ - found & fixes 3 files
http://www.ravantivirus.com/scan/ - found and fixed 7 files
http://www.windowsecurity.com/trojanscan/ - found nothing

Disable System Restore:
http://www.pchell.com/virus/systemrestore.shtml - complete

Boot in safe mode: - ok
Disconnect from the internet and physically unplug cable if DSL or Cable. - ok

Then do this: -ok
Show Hidden Files and Operating System Files, etc.; follow step by step:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Try running AdAware in safe mode - complete

Run SpyBot Search and Destroy --- Make sure you have already gotten the latest UPDATES (Open, then Search for Updates button)
This is where you get SpyBot --- http://www.majorgeeks.com/download2471.html

RUN a2 - complete, found trojan.win32.vb.kc & a dialer

ENABLE SYSTEM RESTORE - complete

Reconnect to Internet

Download Microsofts Critial Updates and Patches: - complete
http://v4.windowsupdate.microsoft.com/en/default.asp

Fix these:::::::
Removing ActiveX Controls if need be:
http://support.microsoft.com/default.aspx?kbid=154850

You have to check your settings and fix your ActiveX Controls:
http://www.jfitz.com/tips/ie_security_config.html

Active X not in program list


NET RESULT

System more stable, but my IE browser is still being hijacked.

I have attached the hijackthis log as requested.

THanks again for your help.

 

This is good, except I don't see your attachment...

 

Do you see the attachment now?

 

Sorry for delayed response, got kinda busy...

DISCONNECT FROM INTERNET

Make sure you've uninstalled P2P networking and any related programs unless you need it.

DELETE THESE:::

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/id2/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.w50.com/id2/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchweb2.com/passthrough/index.html?http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tgnffifihmcte.info/p6DxsVVDBl9qykCpdt7oa3m2aKGd/G/DyTCCKio7CfPJI/v2/FtiaOAiS8D_8qi2.cgi

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Two I'm unsure about but the first one sounds more suspicious than the second:
O4 - HKLM\..\Run: [idol debug] C:\PROGRA~1\EXTRAJOY\bits sixth hole.exe
O2 - BHO: (no name) - {60854107-5281-271F-F626-74BA3E9A47AE} - C:\PROGRAM FILES\MAGSBOLDBAIT\MATH PLUS.EXE

if you don't know what they are we can delete them and then delete the MAGSBOLDBAIT FOLDER.
Then search for 'bits sixth hole.exe' and delete it

RUN CRAPCLEANER

everything else looks good... I'd recommend you resetting your webpages::
Changing your homepage:::
Go into Internet Explorer and change your homepage to your preference (Tools -> Internet Options -> General tab, set homepage in homepage address area). Your preferred homepage should remain as the active homepage and should no longer be hijacked.

Rerun spybot, adaware, and HSremove::
http://www.majorgeeks.com/download4286.html.... nothing might be found but just to clean it up.

Then attach another log and let us know where you stand.

 

My bad on the order... I fixed the link you corrected the other day also... I didn't see any infection of HS but just thought it's a good tool to have handy.. I will not recommend it unless needed then... thanks Chaslang. How did the rest of the log look? I think lockgreen29 is looking OK.

 

Progress is being made....

Home page hijacking looks to be sorted. Error messages gone.

Still blue screening or just re-booting occasionally though.

Ran out of time tonight. I will get a copy of the latest hijackthis log tomorrow. Still need to complete a final Ad-aware run before that. (PC crashed a couple of times when trying to run it).

Thanks for the help so far.

 

Hijackthis log file attached.

 

OK... lets make sure you unistalled 'funwebproducts' and any related programs that you know to be invalid.

Make sure you've updated ADAWARE, SPYBOT, and a2, they all have update buttons once you open the programs--let them conncect and load the updates.

Run HJT and delete the following:::
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wbxfyzcpljwo.net/p6DxsVVDBl9qykCpdt7oa3m2aKGd/G/DyTCCKio7CfPmOTKvuR_2nOAiS8D_8qi2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

Then search for these dll's and delete them::::
autosearch.dll, safesearch.dll

Then SHOW YOUR HIDDEN FILES AGAIN

PHYSICALLY DISCONNECT FROM INTERNET

Run CWShredder-- make sure it's latest version with latest updates.
Run Adaware-- we need this to be completed without the crash, and delete all it finds.
Run SpyBot
Run a2

Make sure your homepages are set.

Reconnect to internet with hidden files STILL SHOWING and run 2 or 3 of these scans AGAIN with autoclean checked:::
http://housecall.trendmicro.com/
http://security.symantec.com/default.asp
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www.anti-trojan.net/en/onlinecheck.aspx
http://www.windowsecurity.com/trojanscan/
Make sure autoclean is enabled on the scans

Let's clear these items before dealing with your bluescreen...

Then post another HJT log for me if that's ok.

 

Jusr curious, what exactly do you find wrong with these entries, that you want them deleted?

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

 

oops, just reposted... making sure he's no longer hijacked

 

No chaslang that was my bad.... i didn't need to put them in the fix list... no matter though it won't hurt anything.

 

OK... mixed bag of successes and failures.

Unistalled 'funwebproducts' etc - complete
Updated ADAWARE, SPYBOT, and a2

Followed the discussion about the next set of advice and deleted the one line everyone agreed with

Run HJT and delete the following:::
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/en-us/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wbxfyzcpljwo.net/p6DxsVV...AiS8D_8qi2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s

Then search for these dll's and delete them::::
autosearch.dll, safesearch.dll - not on my C:.


Ran CWShredder
Ran Adaware
Ran SpyBot
Ran a2

I ran Spybot a couple of times. It removed everything except one entry:

DSO Exploit
HKEY_USERS/DEFAULT/software/microsoft/windows - reports a registry change



Make sure your homepages are set. - done

Reconnect to internet with hidden files STILL SHOWING and run 2 or 3 of these scans AGAIN with autoclean checked:::
http://housecall.trendmicro.com/
http://security.symantec.com/default.asp
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www.anti-trojan.net/en/onlinecheck.aspx
http://www.windowsecurity.com/trojanscan/
Make sure autoclean is enabled on the scans


This last step was a compete nightmare. After hours (and I mean HOURS) of trying, I have only managed a complete run of pandasoftware (which took over 4 hours). rantivirus and windowsecurity crashed a few times & anti-torjan.net is gone.

I will keep trying, but have attached my latest log. I have made a small collection of blue screen messages......

Thanks for sticking with me.

 

More progress (of sorts)

http://security.symantec.com/default.asp
http://www.windowsecurity.com/trojanscan/

both ran all the way through with no problems.

Ran Spybot one more time..... didn't find anything, but started displaying error messages in German!!

Wierd or what!

 

Logs is clean!

I would attempt to help with bluescreen but am headed out of town... I think you would probably be asked to direct your bluescreen/hardware errors back to this thread or somewheres else anyways:
http://forums.majorgeeks.com/showthread.php?t=38675

I would recommend getting spywareblaster and spygaurd at some point to help with future security:::
http://www.majorgeeks.com/download2859.html
http://www.majorgeeks.com/download3045.html

Good Luck.

 

Thanks for all your help, I really appreciate it.

I will start a new thread if neccessary for the blue screening.

Regards