just can't figure it out

Your not explaining what you mean too clearly Scott. What is "the other one won't let me with win98" supposed to mean? Did you mean you tried to run HSremove?

What version of About:Buster did you try?
A new version (2.0) just came out. Give it a try: http://www.majorgeeks.com/download4289.html

Info below direct from RubbeR DuckY:
"First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesn't it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot.

Once rebooted run About:Buster once more to make sure everything is ok.
The database will be updated very frequently so check your versions once a day. "

 

Typically we request that you follow all of this first: http://forums.majorgeeks.com/showthread.php?t=35407

But download HijackThis now: http://www.majorgeeks.com/download3155.html

And post me a HijackThis log "As a text attachment" as mentioned in the above thread.
Shut down all applications first, especiall Internet Explorer, before running HijackThis.

 

By the way, in your first message you said, "my system is windows 98, have xp pro to install but will exchange to xp home before I do". It is not a good idea to upgrade to XP over any other OS especially Win98. You should do a clean install. You should check on this over in the software forum for more info. And if you are ready to reload your system, why bother cleaning this up. A fresh install will (and upgrade may not and will give you lots of other headaches too).

 

Re: you're right, clean install makes sense.

Scott,

You need to follow directions! I gave you an link to read and specifically emphasized that your HJT log should be an attachment. Please do it properly from now on. In addition, I also said, "Shut down all applications first, especiall Internet Explorer, before running HijackThis". You did not do that either.

 

Re: you're right, clean install makes sense.

I want you to download the following two programs Win98Fix and StartDreck.

Unzip them to a place where you can find them later to run. Preferably put each of them in their own directories. We are only going to run StartDreck right now.

This step is very important - you need to be completely disconnected from the internet (physically disconnecting the line to your analog modem or ethernet cable from your computer is best way to be positive).
What we are going to try to do is identify the hidden file that is causing the problem. So now we are ready.

- Run StartDreck.exe
- Click on: Config
- Click on: Unmark all
- Check only the following boxes:
- Registry | run keys
- System/drivers | Running processes
- Click on OK

Reconnect your internet connection and get back here and post the log of results AS A TEXT ATTACHMENT.

Also to get read for what I am planning to do next, you must do the following prep work. Do not run any of the below items. Just download them (install as indicated).

1) Please download and unzip CWShredder but do not run.
2) Now download and install (do not run a scan yet) the current version of Ad-aware
3) Make sure you immediately update to the current reference list by clicking the "Check for updates now" button.
4) Now make sure the following items are configured on Ad-aware, a Green color means the option is enabled (some of these may be the defaults but let's be sure):
On the main window click Start, Activate in-depth scan (recommended)
Now click "Use custom scanning options" then click Customize button and make sure the following options are enabled (Green):
Scan within archives
Scan active processes
Deep scan registry
Scan my IE Favourites for banned URLs
Scan my Host files
Then click Proceed to save the settings.
Nown click the Settings button. This is the gear icon on the top of the window.
Now click Tweak and expand the Scanning engine selection and check the following:
- Unload recognized processes during scanning
Now Expand the Cleaning engine selection and check the following:
- Let windows remove files in use at next reboot
- make sure to disable (make it RED) the Automatically try to unregister objects prior to deletion
Then click Proceed to save your settings.
Again, Do not run Adaware yet.

 

Re: you're right, clean install makes sense.

Okay! Hopefully you did the prep work and got CWShredder and Ad-aware and configured Ad-aware as requested. And also you Win98Fix as requested too.

The hidden installer file that is causing the problem is C:\WINDOWS\SYSTEM\SQLPJLE.DLL

But you also have the W32/Magistr-A virus. This was indicated by the below line in your HJT log:
F1 - win.ini: run=MSOOBD.EXE

So first run HijackThis and select the only the following lines and the click Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=crue
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=crue
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=MSOOBD.EXE

You should print these instructions or copy them locally because (this step is very important) you need to be completely disconnected from the internet (physically disconnecting the line to your analog modem or ethernet cable from your computer is best way to be positive).

- Now use Windows Explorer to get to the directory where you unzipped the Win98Fix program I asked you to download in my previous message.
- Doubleclick on RunFix.reg file and click Yes on the prompt.
- Now you must Reboot your computer! Do not run Internet Explorer after rebooting and remain disconnected from the Internet.
- The hidden file should now be visible. Click on Start, Find, Files or Folders and enter the name of the file (SQLPJLE.DLL). It will be located in C:\WINDOWS\SYSTEM\SQLPJLE.DLL Once you find it, right click on it and select delete.
- Now please run CWShredder and make sure you select the Fix button.
- Next run Ad-aware (with the options I asked you to configure) by clicking on the Scan button.
- When scan is finished, make sure you select all items found and have them fixed.
- Now click on Start, Find, Files or Folders and enter the name MSOOBD.EXE so we can find that virus file. When found delete it too!
- Now tell me the results of all the above steps and please post a new HijackThis log ATTACHMENT.

 

Re: Looks like I'm clean

Cool! We are almost done. Bring up Task Manager (CTRL-ALT-DEL) and look for this process:
DEINST_QFE002.EXE

If you find it, end it. If not, just continue.

Run HijackThis and have it fix the following line:
O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

Now find this file with Windows Explorer and delete it:
C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

If you cannot delete it right now, boot into safe mode and delete it.
Here is how to boot in safe mode.

 

Re: Thanks Chas

That's great news. Good job working thru all this.

Here are some simple steps you can take to reduce the chance of infection in the future.
I strongly encourage you to take these precautions. Some of these items should already be on your PC from the work we were doing.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Do this at least once a month.
b. Never add any site to your Trusted Sites Zone.

2) Anti Virus: make sure you have one and keep it updated. Here are some good free ones:
http://majorgeeks.com/download1968.html Avast
http://majorgeeks.com/download886.html AVG
The top two hands down. Better than Norton or McAfee!
Only run ONE AV!

3) Firewall: if you don't have one get one of these below. The last two are free versions:
Don't care if your on dial up or High Speed....you must have a firewall
http://majorgeeks.com/download738.html Kerio Personal Firewall
http://majorgeeks.com/download3356.html Sygate Personal Firewall Free
http://www.majorgeeks.com/download388.html ZoneAlarmFree

4) Get a Temp File/Cookies/index.dat cleaner
http://majorgeeks.com/download4191.html CCleaner (Crap Cleaner)

5) SpyWare Prevention (These prevent, they are not scanners. Scanners are listed later. It would be a good idea to use both of these.)
http://majorgeeks.com/download2859.html SpyWare Blaster
http://majorgeeks.com/download3045.html SpyWare Guard

6) SpyWare Scanners/Removers (keep both on your PC and updated)
http://majorgeeks.com/download2471.html SpyBot (Use the Immunize feature. I don't activate the TeaTimer)
http://majorgeeks.com/download506.html Ad-aware
http://www.majorgeeks.com/download4283.html VX2 Cleaner Plug-In for Ad-Aware