Post by: sikkut on April 12, 2004, 11:48:28 AM
I am having trouble with my IE and it is starting to drive me nuts. With constant homepage changes and window pop-ups, using the browser is becoming a pain in the neck.
I have been running AdAware and Spybot and curing the problems that show up, but the troubles remain.
Could somebody take a look at the HijackThis log below and indicate what the problem might be/what to ged rid of or repair? I would greatly appreciate the help.
thanks in advance,
sikkut
Logfile of HijackThis v1.97.7
Scan saved at 12:41:45, on 12.04.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WMonitor\WLanCfgB.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dilberttest3\Screen Saver\FWLink.exe
C:\windows\winlogon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\mac stuff\panther\Aqua Dock\Aqua Dock.exe
C:\Program Files\WeatherCast\Weather.exe
C:\Program Files\kaval\Webshots\WebshotsTray.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\sikkut\Application Data\Mozilla\Profiles\default\lsu9t860.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\sikkut\Application Data\Mozilla\Profiles\default\lsu9t860.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [WLanCfgB.exe] C:\Program Files\WMonitor\WLanCfgB.exe
O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINDOWS\loader.exe
O4 - HKCU\..\Run: [rundll32] c:\windows\rundll32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\mac stuff\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - http://www.fmn-media.com/campaigns/winpl/s...Certificate.ocx (http://\"http://www.fmn-media.com/campaigns/winpl/sites/pops/A001/DNLCertificate.ocx\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - http://static.everyday.com/static/images/p2p.cab (http://\"http://static.everyday.com/static/images/p2p.cab\")
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://dhs.riigikantselei.ee/iNotes.cab (http://\"https://dhs.riigikantselei.ee/iNotes.cab\")
O16 - DPF: {2BD3E3A2-8D92-4438-B335-C1F3F75F83D6} (diskFile Class) - file://D:\fileInfoUtil.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab (http://\"http://www.bundleware.com/activeX/BM2/BM2.cab\")
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab (http://\"http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab\")
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin.cab (http://\"http://66.230.146.53/EPlugin.cab\")
Post by: Guest on April 16, 2004, 01:56:48 PM
And get rid of all instances of inetadpt.dll
Maybe more but I know that stupid bm2.cab item screwed up our internet and when we got rid of it everything was fine
Post by: Grinler on April 20, 2004, 09:36:03 AM
Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.
Download CWShredder from:
http://www.merijn.org/files/cwshredder.zip (http://\"http://www.merijn.org/files/cwshredder.zip\")
After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.
To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.
A tutorial that goes over this process step by step can be found here:
How to remove CoolWebSearch with CoolWeb Shredder (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=47\")
Once that is completed you should follow these steps in order to clean your computer of Malware (http://\"http://www.bleepingcomputer.com/forums/index.php?act=Compupedia&show=227\") which can include Viruses, Trojans, Worms, Spyware, Hijackers and Dialers
[color=\"red\"]Step 1:[/color]
Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what it finds. This is to gaurantee that you find the most malware you can installed on your computer.
Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.
Spybot (http://\"http://www.safer-networking.org/index.php?page=download\")
Ad-aware (http://\"http://www.lavasoftusa.com/software/adaware/\")
If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below in my signature.
When you scan with both programs, fix everything that it finds.
When you are done with the scan and fixing the items. Please continue with the next step.
[color=\"red\"]Step 2:[/color]
It is important that you run Spybot and Adaware before you proceed with this step. Fixing enties with Hijackthis may leave behind unwanted files on your computer if the previous step was not done first.
Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.
Download HijackThis from:
HijackThis (http://\"http://www.spywareinfo.com/~merijn/files/hijackthis.zip\")
Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.
Create a reply to this post, and right click in message area and select paste to paste the log into the post.
Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.
To see a tutorial on using HijackThis you can click on the link in my signature below.
Post by: The_Unknown on April 23, 2004, 12:43:15 PM
Post by: Jamie on May 07, 2004, 05:19:46 PM
But when installing MSN Plus, I installed a load of 3rd Party stuff that I don't want. It is ok to put up with, but instead of pronging up Page Cannot Be Found, it brings up a custom made page. Something to do with 'Search The Web'.
I managed to change this file once before but it just came back.
That seemed alright until recently. When that page loads it sometimes brings up a Ringtones popup, which automatically dumps a trojan horse somewhere in my Temporary internet Files. It's getting really annoying even though I can delete it.
Since using Hijack This I have had a problem with the Google Toolbar as well. Once I make it come up on IE, as soon as I click a link or button to go on another site, it dissappears. I have hopefully included a pic of my backed up file that I previously deleted the originals of so you can tell me if I deleted something wrong please.
Well now for the log so maybe someone could shed some light on the matter?
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> Logfile of HijackThis v1.97.7
Scan saved at 22:31:01, on 07/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Interactive Agents\ActivePlus.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\PROGRA~1\README~1\Site amen settings.exe
C:\Program Files\3DO\Army Men Toys in Space\Registration\Remind32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jamie T\My Documents\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {297FB6C2-0149-3E41-3BD3-103B46F527C3} - C:\PROGRA~1\meow0116\funk sixth.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ActivePlus] "C:\Program Files\Interactive Agents\ActivePlus.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Meta roam] C:\PROGRA~1\README~1\Site amen settings.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_SBA.tmp"
O4 - Startup: 3DO Registration.lnk = C:\Program Files\3DO\Army Men Toys in Space\Registration\Remind32.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: Shortcut to pow.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab\")
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab (http://\"http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/l...nch/alaunch.cab (http://\"http://launch.gamespyarcade.com/software/launch/alaunch.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab (http://\"http://toolbar.google.com/data/GoogleActivate.cab\")
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8049.3769560185 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38049.3769560185\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/smarter...ld/websetup.cab (http://\"http://hot.activebuddy.com/catalog/smarterchild/websetup.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://lw10fd.law10.Email (http://\"http://lw10fd.law10.Email\") Removed.msn.com/active...ex/HMAtchmt.ocx
(http://www.geocities.com/jamiet138/deletedlog.jpg)
Thx a lot! It would really help coz Ive had loads of problems in the past but I just cant sort this one out!
Jamie