Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

strange web pages loading constantly [resolved]


  • This topic is locked This topic is locked

#1
jrsummersill

jrsummersill

    Member

  • Member
  • PipPip
  • 28 posts
Hi, I hope someone can help me. I have never seen anything like this. Evertyime I go on the net I am bombarded with different websites loading on my computer. It is very annoying as I am sure you know. I have tried all of the "to do"s that are required before I post my hijack log. Some of them would not load or work correctly, but I did try. Also, I was wondering if my internet security options (cookies in particular) have anything to do with this. I tried to change them to a "high" level of security but now I am also constantly getting a little window asking me if I want to allow cookies from various sites. Now I am thinking that this was not the correct thing to do either since it is equally as annoying as the strange websites, especially since it all happens at once. Anyway I am now going to post my hijack log below. I will tell you in advance that I am eternally grateful for anyone's expertise during this. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 8:16:41 AM, on 3/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\TEXBUTIL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\THGPS\MKAHWC.EXE
C:\WINDOWS\VQYVGU.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\COMPUSERVE 2000A\CSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.compuserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9jg2v3a4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9jg2v3a4.slt\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [jecvrswk] C:\WINDOWS\SYSTEM\ovifiln.exe
O4 - HKLM\..\Run: [Obdrmnn] C:\PROGRAM FILES\THGPS\MKAHWC.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\vqyvgu.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\RunServices: [TExBUtil] TExBUtil.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000a\cstray.exe
O4 - Startup: kfykig.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT!http://www.t058.com/....chm::/open.exe
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp...her/MotUtil.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
  • 0

Advertisements


#2
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I know that ya'll are busy but could someone please look at my log or tell me how to do it? Thanks.
  • 0

#3
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Do you still need help? :tazz:
  • 0

#4
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Yes, ma'am, you bet I do!! The problem is worse then ever, now my isp (compuserve) will not load any pages. It had gotten pretty bad at the end. I am on my desktop right now, the problem is with my laptop :tazz: (which is my life!). I am going to try to use another isp in order to get you another hijack log or copy the hijack log onto a cd and put it on my desktop. Thank you so much for responding to my request, I was starting to get really worried about my laptop.
thanks,
Jenny
  • 0

#5
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
After much wrangling I was able to get the current hijack log to you. It seems that none of the isp's are working on my computer, they connect to the net, and that is it, I cannot pull up any web pages. Anyway, I went ahead and did ran a log and copied it to floppy and added it to my desktop, so here it is....

Logfile of HijackThis v1.99.1
Scan saved at 8:36:57 AM, on 3/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\TEXBUTIL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\THOTSWAP.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\COMPUSERVE 2000A\CSTRAY.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9884&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020searc...884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9jg2v3a4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9jg2v3a4.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SNHlprObj Class - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL (file missing)
O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINDOWS\2020SE~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [THotSwap] THotSwap.Exe
O4 - HKLM\..\Run: [THotkey] THotkey.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [TExBUtil] TExBUtil.Exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000a\cstray.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll


I appreciate your expertise.
thanks again,
Jenny
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
We'll get it fixed up. I need to check something out first. You are running a 98 machine and you have an infection that I don't have the fix for in-hand. I remember some of the helpers talking about this infection on a 98 but I lost track of the conversation. Don't panic. We will get it fixed.
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
  • 0

#8
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Ok, here is the find that log. I hope that I did it correctly, because it did not take as long as I expected. I will be sure not to power off the computer.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1763-17E1
Directory of C:\WINDOWS\SYSTEM

AISTREAM DLL 227,104 03-08-05 10:20p AISTREAM.DLL
WYN32S16 DLL 227,104 03-08-05 10:20p WYN32S16.DLL
QXUT DLL 227,104 03-08-05 10:20p QXUT.DLL
TSASSWD DLL 227,104 03-08-05 10:20p TSASSWD.DLL
MSR DLL 227,104 03-08-05 10:20p MSR.DLL
DGCOBJ DLL 227,104 03-08-05 10:20p DGCOBJ.DLL
MC3216 DLL 227,104 03-08-05 10:20p MC3216.DLL
OCE32 DLL 227,104 03-08-05 10:20p OCE32.DLL
VBPODBC DLL 227,104 03-08-05 10:20p VBPODBC.DLL
SFRMDLL DLL 227,104 03-08-05 10:20p sfrmdll.dll
EGTIER2 DLL 227,104 03-08-05 10:20p egtier2.dll
RRCNS4 DLL 222,568 02-28-05 4:14p RRCNS4.DLL
VAPODBC DLL 222,568 02-28-05 4:14p VAPODBC.DLL
CGPBK32 DLL 222,568 02-28-05 4:14p CGPBK32.DLL
SRI DLL 222,568 02-28-05 4:14p SRI.DLL
RWCLTS6 DLL 222,568 02-28-05 4:14p RWCLTS6.DLL
PAUSTAB DLL 222,568 02-28-05 4:14p PAUSTAB.DLL
NASWAN16 DLL 222,568 02-28-05 4:14p NASWAN16.DLL
MRI DLL 222,568 02-28-05 4:14p MRI.DLL
IIROP DLL 222,568 02-28-05 4:14p IIROP.DLL
OJDBSE32 DLL 222,568 02-28-05 4:14p OJDBSE32.DLL
RHPCX DLL 222,568 02-28-05 4:14p RHPCX.DLL
OIEPRO32 DLL 222,568 02-28-05 4:14p OIEPRO32.DLL
VQHELPER DLL 222,568 02-28-05 4:14p VQHELPER.DLL
MNCI DLL 222,568 02-28-05 4:14p MNCI.DLL
CMMMCTRL DLL 222,568 02-28-05 4:14p CMMMCTRL.DLL
26 file(s) 5,836,664 bytes
0 dir(s) 1,964.60 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1763-17E1
Directory of C:\WINDOWS\SYSTEM

RATINGS POL 8,192 03-06-05 1:43p RATINGS.POL
WSXSVC <DIR> 03-02-05 4:19p wsxsvc
VMSS <DIR> 03-02-05 4:19p vmss
FFASTLOG TXT 22,419 03-01-05 9:18p FFASTLOG.TXT
HPFHLPB0 GID 8,628 02-11-05 12:19a hpfhlpb0.GID
S3DUODEU GID 8,628 10-20-04 8:32p s3duodeu.GID
FOLDER HTT 13,122 10-07-99 10:10a folder.htt
DESKTOP INI 266 10-07-99 10:10a desktop.ini
6 file(s) 61,255 bytes
2 dir(s) 1,964.59 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"TDspOff"="TDspOff.Exe B"
"TOSHIBSU"="TOSHIBSU.EXE"
"PowerTray"="PwrTray.EXE"
"PsPCCard"="PsPCCard.EXE"
"TEscKey"="TEscKey.exe"
"TFunckey"="TFuncKey.exe"
"THotSwap"="THotSwap.Exe"
"THotkey"="THotkey.Exe"
"EM_EXEC"="c:\\mouse\\system\\em_exec.exe"
"IrMon"="IrMon.exe"
"TWBbtn"=""
"TCDPbtn"=""
"srng"="\\Program Files\\Srng\\Srng.exe"
"TPP Auto Loader"="C:\\WINDOWS\\TPPALDR.EXE"


thanks,
jenny
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the http://www.bleepingc...les/killbox.php

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

1. Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

2. Paste this file into the top Full Path of File to Delete field.


C:\WINDOWS\SYSTEM\AISTREAM.DLL

3. Click the Delete File button which looks like a stop sign.

4. Click Yes at the Replace on Reboot prompt.

5. Click No at the Pending Operations prompt.

Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.



C:\WINDOWS\SYSTEM\WYN32S16.DLL
C:\WINDOWS\SYSTEM\QXUT.DLL
C:\WINDOWS\SYSTEM\TSASSWD.DLL
C:\WINDOWS\SYSTEM\MSR.DLL
C:\WINDOWS\SYSTEM\DGCOBJ.DLL
C:\WINDOWS\SYSTEM\MC3216.DLL
C:\WINDOWS\SYSTEM\OCE32.DLL
C:\WINDOWS\SYSTEM\VBPODBC.DLL
C:\WINDOWS\SYSTEM\ sfrmdll.dll
C:\WINDOWS\SYSTEM\egtier2.dll
C:\WINDOWS\SYSTEM\RRCNS4.DLL
C:\WINDOWS\SYSTEM\VAPODBC.DLL
C:\WINDOWS\SYSTEM\CGPBK32.DLL
C:\WINDOWS\SYSTEM\SRI.DLL
C:\WINDOWS\SYSTEM\ RWCLTS6.DLL
C:\WINDOWS\SYSTEM\PAUSTAB.DLL
C:\WINDOWS\SYSTEM\NASWAN16.DLL
C:\WINDOWS\SYSTEM\MRI.DLL
C:\WINDOWS\SYSTEM\IIROP.DLL
C:\WINDOWS\SYSTEM\OJDBSE32.DLL
C:\WINDOWS\SYSTEM\ RHPCX.DLL
C:\WINDOWS\SYSTEM\OIEPRO32.DLL
C:\WINDOWS\SYSTEM\VQHELPER.DLL
C:\WINDOWS\SYSTEM\MNCI.DLL
C:\WINDOWS\SYSTEM\CMMMCTRL.DLL
C:\WINDOWS\SYSTEM\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.

Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Post a new log with the LATEST version of HJT, 1.99.1.
  • 0

#10
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I did exactly what you said to do. Here is the latest hijack log....


Logfile of HijackThis v1.99.1
Scan saved at 2:06:09 PM, on 3/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\TEXBUTIL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\THOTSWAP.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\COMPUSERVE 2000\CSTRAY.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9884&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://toshiba.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020searc...884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9jg2v3a4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9jg2v3a4.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SNHlprObj Class - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL (file missing)
O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINDOWS\2020SE~1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [THotSwap] THotSwap.Exe
O4 - HKLM\..\Run: [THotkey] THotkey.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [TExBUtil] TExBUtil.Exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Thanks,
Jenny
  • 0

Advertisements


#11
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Can I see a new Find It log as well?
  • 0

#12
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I'm sorry--here is the find it log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1763-17E1
Directory of C:\WINDOWS\SYSTEM

SFRMDLL DLL 227,104 03-08-05 10:20p sfrmdll.dll
RWCLTS6 DLL 222,568 02-28-05 4:14p RWCLTS6.DLL
RHPCX DLL 222,568 02-28-05 4:14p RHPCX.DLL
3 file(s) 672,240 bytes
0 dir(s) 1,993.09 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 1763-17E1
Directory of C:\WINDOWS\SYSTEM

RATINGS POL 8,192 03-06-05 1:43p RATINGS.POL
WSXSVC <DIR> 03-02-05 4:19p wsxsvc
VMSS <DIR> 03-02-05 4:19p vmss
FFASTLOG TXT 22,419 03-01-05 9:18p FFASTLOG.TXT
HPFHLPB0 GID 8,628 02-11-05 12:19a hpfhlpb0.GID
S3DUODEU GID 8,628 10-20-04 8:32p s3duodeu.GID
FOLDER HTT 13,122 10-07-99 10:10a folder.htt
DESKTOP INI 266 10-07-99 10:10a desktop.ini
6 file(s) 61,255 bytes
2 dir(s) 1,993.09 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"TDspOff"="TDspOff.Exe B"
"TOSHIBSU"="TOSHIBSU.EXE"
"PowerTray"="PwrTray.EXE"
"PsPCCard"="PsPCCard.EXE"
"TEscKey"="TEscKey.exe"
"TFunckey"="TFuncKey.exe"
"THotSwap"="THotSwap.Exe"
"THotkey"="THotkey.Exe"
"EM_EXEC"="c:\\mouse\\system\\em_exec.exe"
"IrMon"="IrMon.exe"
"TWBbtn"=""
"TCDPbtn"=""
"srng"="\\Program Files\\Srng\\Srng.exe"
"TPP Auto Loader"="C:\\WINDOWS\\TPPALDR.EXE"


jenny
  • 0

#13
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure. :tazz:

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020searc...884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9884&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020searc...884/search.html


O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

O2 - BHO: SNHlprObj Class - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL (file missing)

O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINDOWS\2020SE~1.DLL (file missing)

O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\2020SE~1.DLL
C:\PROGRAM FILES\ADDESTROYER<<entire folder
C:\COMPUSERVE 2000\CSTRAY.EXE
C:\Program Files\Srng<<entire folder

Please scan your system with Ad-aware:
Ad-aware SE - Download - Home Page
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.


If you would please, rescan with HijackThis and post a fresh log in this same topic.
  • 0

#14
jrsummersill

jrsummersill

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
i got as far as the installing and running the Ad-Aware se when I got two error messages: :tazz:

Error Starting Program
The WININET.DLL file is linked to missing export SHLWAPI.DLL:SHRegGetValueW.

and

Error
Could not execute the external program
C:\Progra~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXE

Is this a related problem (by the way I am still in safe mode)? I am on my desktop right now and have not done anything on the laptop except what you have instructed me to do.
Thanks,
Jenny
  • 0

#15
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I thought you already had adaware downloaded.

Go here and run this program.

http://www.majorgeek...ad.php?det=4191
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP