[cryptopsy]

Hi, a couple of days ago my computer got infected with this trojan. I have gone through the required steps before posting my hijackthis log. By using the various spyware/adware tools i have now reset my homepage to its usual one, and the background, appearance and effects tabs are available again under my display properties so i can set my desktop wallpaper via the usual way. I am still receiving popups though, like i was after i first got infected with the trojan. Your help in getting rid off these annoying popups and making sure my computer is clean would be greatly appreciated . My hijackthis log is as follows:


Logfile of HijackThis v1.99.1
Scan saved at 22:49:54, on 3/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MOUSE\AMOUMAIN.EXE
C:\WINAMP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\GEOFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NInit] C:\Program Files\Norton SystemWorks\Norton Uninstall\NINIT.EXE
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [DLF_00001000] C:\WINDOWS\SYSTEM\Vcdlf.exe /c
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\RunServices: [MSys32] C:\PROGRA~1\TETRIS~1\morfitwebentrance.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yaho...m/v/yacscom.cab
O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.223.1...ensored_sex.exe
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.fhm.com/g.../zoomify138.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...wave/wtinst.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest....chm::/file.exe

[Advertisements]

Dear cryptopsy,

Welcome to the Geeks to Go forums.

We are currently studying your log.

Can you please tell me what antivirus software you are using on your computer, for example (Norton Antivirus, McAfee Antivirus, or AVG Antivirus, etc.)?

If you do have antivirus software, can you tell me if the subscription on this software has expired?

[rambro]

Dear cryptopsy,

Welcome to the Geeks to Go forums.

We are currently studying your log.

Can you please tell me what antivirus software you are using on your computer, for example (Norton Antivirus, McAfee Antivirus, or AVG Antivirus, etc.)?

If you do have antivirus software, can you tell me if the subscription on this software has expired?

[rambro]

Dear cryptopsy,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
******************************

Click Start then Control Panel then Add and Remove Programs. Look for the following installed program/programs and if they are listed click on each one and then click on the Remove or Change button and if asked select "Yes" or "Ok" to remove:

The following line:

O4 - HKLM\..\RunServices: [MSys32] C:\PROGRA~1\TETRIS~1\morfitwebentrance.exe

is considered malware and needs to be fixed in the HijackThis application. However, in order to fix this line, you also have to uninstall the following software:

Tetris 2000

Here is the link on how to uninstall above malware: http://www.web-entrance.com/
Here is the link on why your Tetris 2000 software has to be uninstalled: http://www.morfit.com/Eng/
Here is a link that describes the "morfitwebentrance.exe" file: http://startup.iamno...trance.exe.html
****************************************

Optional programs you can uninstall, through the Add/Remove program:

NewDotNet is an ad supported software. The application is running silently in the background as a browser helper object (BHO). It pops up ad windows while you are surfing the web and periodically connects to the remote server to check for available updates.

new.net was originally designed to shorten web addresses. They created some new virtual top level domains like .mp3, .xxx, .travel which can only be visited on computers with the new.net addons installed.

The software is mostly bundled with other software products like file sharing tools or other ad supported freeware tools.

NewDotNet is a browser hijacker and can update itself without any input from you. Anything that modifies your windows HOSTS file is a hijacker and we don't want it! The "purpose" of this is to add support for additional domains like .AGENT .INC .LOVE .SHOP .SPORT. We suggest you remove this.

Here are instructions to remove NewDotNet: http://www.newdotnet.com/removal.html

Here are other links that provide removal instructions for NewDotNet:

http://www.antisourc...e.php/newdotnet
http://www.pchell.co...t/savenow.shtml
http://www.bleepingc...tNet-t3095.html

Restart your computer.
*********************************

Please download and run a Free Trial of Trojan Hunter at http://www.misec.net...rojanHunter.exe. Please restart your computer.

Please run the Housecall online virus scan located at: http://housecall.tre.../start_corp.asp. Follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. When the scan is finished, please restart your computer.

Then please run the Panda scan here: http://www.pandasoft...n_principal.htm. Delete any viruses found, and restart your computer.
*******************************

Please download SpSeHjfix, version 1.09, for Windows 95/98*admin from here: http://www.derbilk.d...Hjfix_Beta9.zip. Unzip it to the desktop and run it. Click "Start Disinfection" and follow the prompts. Your computer may restart. Then please post the SpSeHjfix.log file in a reply to this post.

Restart your computer
**************************

Run HijackThis and click "Scan." Place checks next to the following entries (if they exist):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
O4 - HKLM\..\RunServices: [MSys32] C:\PROGRA~1\TETRIS~1\morfitwebentrance.exe

O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.223.1...ensored_sex.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest....chm::/file.exe

Optional Fixes

I highly recommend you to fix these items:

If you choose to remove NewDotNet, put a check next to the following entries as well:

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

NOTE: Did you install Wild Tangent on purpose and use and enjoy their online games? If so, you can leave this item alone. If not - go ahead and checkmark it to *fix*

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...wave/wtinst.cab

Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml

Next, make sure your PC is configured to show hidden files. Here is how to do this:

Windows 98

* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck Hide file extensions of known file types.
* Click OK.

Here is a link for further explanation: http://www.xtra.co.n...1916458,00.html

Delete the following file/files marked in blue (if they exist):

C:\WINAMP.EXE
C:\WINDOWS\TEMP\se.dll

Delete the following folder/folders marked in blue (if they exist):

C:\Program Files\TETRIS 2000 (that is, the folder that contains the "morfitwebentrance.exe" executable file.)

Optional folder/folders marked in blue to be deleted (if they exist):

If you uninstalled NewDotNet you need to remove the next folder also:

C:\Program Files\NewDotNet

Finally, go to the Start Menu, click "Run", and in the window type cleanmgr. This will run the System Cleanup program. Make sure the box next to "Temporary files" is checked, and then click "OK".

Restart your computer, in normal mode, and then please post a new HijackThis log, along with the log from the SpSeHjfix application.

In addition, let me know in detail how your computer system is running after performing the above steps.

Edited by rambro, 18 July 2005 - 07:51 AM.

[cryptopsy]

Thank you for replying to my post. I actually now have a lot more problems than before, but i do not know how it happened .

In response to your first question, i am running AntiVir Personal Edition virus software and my definitions when i posted my first post were probably about a month old. After reading your second post, i updated my virus defintions and did a virus scan before commencing with your instructions.

After my original post a couple of weeks ago, my computer was running quite good with no ad pop-ups. I was following your instructions to try and fully clean my computer and was up to doing the housecall online virus scan. While setting up to do this virus scan, my internet explorer came up with an illegal operation message which forced the page to close. On repeated attempts to do this virus scan, i continued to get the illegal operation message. I then stopped using my computer and shut it down. The next day (today), i turned on my computer, and when i tried to start internet explorer i got the following message:

EXPLORER caused an exception c06d007eH in module URLMON.DLL at 017f:702d9ac0.
Registers:
EAX=014bcb44 CS=017f EIP=702d9ac0 EFLGS=00000246
EBX=00000000 SS=0187 ESP=014bcae4 EBP=014bcb38
ECX=d4653fe0 DS=0187 ESI=70305540 FS=0fdf
EDX=818104a4 ES=0187 EDI=00000000 GS=0000
Bytes at CS:EIP:
8b 45 d4 e9 6e c8 fe ff 6a 08 e8 37 ba 02 00 3b
Stack dump:
00000200 014be41c 0000000a 00000024 70305540 703090f0 703055e0 00000001 70305ccc 00000000 00000000 00000002 00000824 00000000 70309760 70309064

I continue to get this message even now. I then tried to open AdAware, Spybot and Cleanup programmes, but i couldn't due to receiving the following message:

A required DLL file C:\Windows\System\WININET.DLL was not found.

Due to not being able to access internet explorer, i installed Netscape 7.0 off a cd i had so that i could browse the internet. I am now in a far worse position than before and wish i had not done anything. Please help!!!

[rambro]

Dear cryptopsy,

Try this, from this link:

http://www.microsoft...ysfilecheck.asp

and see if your IE browser is fixed.

If you are having problems with the online scans, then skip it. You should get rid of NewDotNet, and your tetris 2000 and also you should execute the other steps.

Restart your computer and then please post a new HijackThis log.

Edited by rambro, 19 July 2005 - 11:16 AM.

[cryptopsy]

Thanks for responding quickly. After running the system file checker it came up with 2 corrupted files which were user.exe and setupx.dll, however when prompted to restore the original files, i have no clue where the original files are. My internet explorer still is not opening as before, and i cannot open Cleanup, Adaware and Spybot. Any ideas?

[cryptopsy]

Ok, sorry if i sounded a bit stupid in my last post, i have since then tried to do more. I manually entered the file wininet.dll to restore and put in my Windows Cd, and it was on there. The System file checker restored the file successfully, and afterwards i could open spybot, cleanup and adaware again without the error message coming up. However, after restoring wininet.dll, i still could not enter internet explorer as it then came up with the message:

EXPLORER caused an invalid page fault in
module <unknown> at 0000:00000009.
Registers:
EAX=01dcf528 CS=017f EIP=00000009 EFLGS=00010287
EBX=df6e6df5 SS=0187 ESP=014bae94 EBP=014baec8
ECX=00000000 DS=0187 ESI=01dce270 FS=27bf
EDX=01dce27d ES=0187 EDI=00000002 GS=0000
Bytes at CS:EIP:
00 49 06 65 04 70 00 65 04 70 00 54 ff 00 f0 d8
Stack dump:
00000187 01932837 00cc0004 01dce270 00000050 00000000 00000000 00000003 00000000 01dccf7c 01dcf528 00000000 8000000a 014baefc 61b862eb 01dcf528

Upon restarting my computer, noticed in the start up screens that it said:

c: \>attrib -s -h -r c:windows\system\wininet.dll

c: \>del c:windows\system\wininet.dll

I then tried to open cleanup, adaware and spybot and could not and got the same error message again. Upon trying to enter internet explorer i got the old error message about urlmon.dll. I then looked under my system files to find wininet.dll deleted as per the command prompt in the start up screens.

I repeated trying to restore wininet.dll with the same results. My cleanup programmes able to be opened but then after restarting my computer, wininet.dll being deleted again so that they could not be opened.

[rambro]

Dear cryptopsy,

I was looking over the last two posts you sent me. The following files: wininet.dll, user.exe and setupx.dll are located in the following path on your computer: C:\windows\system.

Run the system file checker for windows 98 (from the article I gave you) and restore the files from your windows CD ROM and place these files in (i.e. save file in) this directory on you computer: C:\windows\system.

Dear cryptopsy, you will want to extract these files from your windows 98 cd and place them into the "C:\windows\system" directory. The corrupted files (user.exe and setupx.dll) should have automatically been placed in the C\windows\sytem directory, if you followed the first part of that article I sent you.

Their is a possibility, that the viruses on your computer are deleting the "wininet.dll" file on your computer. So make sure you download and run trojan hunter, to check for the trojans on your computer. Also the following line:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

represents a major virus on your pc. Make sure you download and run the SpSeHjfix, version 1.09, for Windows 95/98*admin that I gave you.

Dear cryptosy, don't be too fixated on getting that wininet.dll file back on your computer. Just let us fix the major viruses on your computer first.

Note: In order for the Housecall scan and the Panda Scan to operate properly you have to get Internet Explorer running properly, so if the IE browser is not running, skip those steps for now.

You also need to uninstall the NewDotNet application and your Tetris 2000 application. You also need to fix the lines in HJT and perform the file/directory deletions in my second post to you.

This is what you should do, try running the system file checker for window 98 again, restore the files from your windows 98 CD Rom to your computer (i.e c:windows\system directory) to replace the corrupted files it found. Next try restoring that "wininet.dll" from your windows 98 CD Rom. If the "wininet.dll file gets deleted again and your IE explorer still does not work, skip the steps for running Housecall and the Panda Scans, and execute all the rest of the steps in the second post, I sent you. Restart your computer and post a new HijackThis log.

We can always fix your Internet Explorer problem at a later date, but we should start working on getting those viruses off your computer.

If your IE browser, still does not work, try reinstalling over it again with a new Internet Explorer download. Here is the link to download Internet Explorer: http://www.microsoft...&DisplayLang=en

rambro

Edited by rambro, 23 July 2005 - 05:30 AM.

[cryptopsy]

Ok, i managed to successfully restore the files user.exe and setupx.dll. When i restored wininet.dll the same thing happened as last time. It was successfully restored and it enabled me to enter the various cleanup programmes but when i restarted the computer, the wininet.dll file was deleted. I then ran trojan hunter which found no trojans and i restarted my computer. I then tried to run the SpSeHjfix but couldn't as i got the following message:

"A required DLL file, MSVBVM60.DLL wasn't found".

I then tried to run hijackthis and couldn't due to getting the same message.

[cryptopsy]

I was looking over some related posts on msvbvm60.dll and went to the microsoft website to download visual basic 6.0 runtime files like one of the geekstogo staff members said. After installing these files msvbvm60.dll was installed on my computer and has stayed there after reboots allowing me to run SpSeHjfix and Hijackthis. I then followed your instructions and deleted the appropriate files. I then rebooted in safe mode to search for the extra files you indicated. I then restarted my computer again in normal mode and i still cannot enter adaware, spybot and cleanup without restoring wininet.dll, and then upon rebooting can not enter these programmes without going through the same process. I am still having the same problem entering internet explorer as before.

Here is my SpSeHjfix log:

(7/20/05 16:53:07) SPSeHjFix started v1.09
(7/20/05 16:53:07) OS: Win98SE A (4.10.67766446)
(7/20/05 16:53:07) Language: english


(7/20/05 16:53:29) SPSeHjFix started v1.09
(7/20/05 16:53:29) OS: Win98SE A (4.10.67766446)
(7/20/05 16:53:29) Language: english
(7/20/05 16:53:45) Disinfect started
(7/20/05 16:53:45) Bad-Dll(IEP): (not found)
(7/20/05 16:53:45) Bad-Dll(IEP) in BHO: (not found)
(7/20/05 16:53:45) UBF: 5
(7/20/05 16:53:45) UBB: 0
(7/20/05 16:53:45) UBR: 16
(7/20/05 16:53:45) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/20/05 16:53:45) Stealth-String found: C:\WINDOWS\QTFOGT.FOR
(7/20/05 16:53:45) File added to delete: c:\windows\qtfogt.for
(7/20/05 16:53:45) Reboot
(7/20/05 16:54:57) SPSeHjFix 2nd Step
(7/20/05 16:54:58) RunServicesOnce-Key: (edited)
(7/20/05 16:55:15) Cleaned


(7/20/05 16:58:26) SPSeHjFix started v1.09
(7/20/05 16:58:26) OS: Win98SE A (4.10.67766446)
(7/20/05 16:58:26) Language: english




And here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:09:41, on 20/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\GEOFF\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\w6tq86az.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\w6tq86az.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NInit] C:\Program Files\Norton SystemWorks\Norton Uninstall\NINIT.EXE
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [DLF_00001000] C:\WINDOWS\SYSTEM\Vcdlf.exe /c
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\RunServices: [MSys32] C:\PROGRA~1\TETRIS~1\morfitwebentrance.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yaho...m/v/yacscom.cab
O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.223.1...ensored_sex.exe
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.fhm.com/g.../zoomify138.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...wave/wtinst.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest....chm::/file.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[rambro]

Dear cryptopsy,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
******************************

Click Start then Control Panel then Add and Remove Programs. Look for the following installed program/programs and if they are listed click on each one and then click on the Remove or Change button and if asked select "Yes" or "Ok" to remove:

The following line:

O4 - HKLM\..\RunServices: [MSys32] C:\PROGRA~1\TETRIS~1\morfitwebentrance.exe

is considered malware and needs to be fixed in the HijackThis application. However, in order to fix this line, you also have to uninstall the following software:

Tetris 2000

Here is the link on how to uninstall above malware: http://www.web-entrance.com/
Here is the link on why your Tetris 2000 software has to be uninstalled: http://www.morfit.com/Eng/
Here is a link that describes the "morfitwebentrance.exe" file: http://startup.iamno...trance.exe.html

Restart your computer.
*********************************

Run HijackThis and click "Scan." Place checks next to the following entries (if they exist):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O4 - HKLM\..\Run: [JVM0.14] C:\WINAMP.EXE (this is important, the line represents a trojan, that disables antivirus programs)

O4 - HKLM\..\RunServices: [MSys32] C:\PROGRA~1\TETRIS~1\morfitwebentrance.exe

O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.223.1...ensored_sex.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest....chm::/file.exe

Optional Fixes

I highly recommend you to fix these items:

NOTE: Did you install Wild Tangent on purpose and use and enjoy their online games? If so, you can leave this item alone. If not - go ahead and checkmark it to *fix*

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtange...wave/wtinst.cab

Close all browser and other windows except for HijackThis, and click "Fix Checked" button to finish the repair. Close the HijackThis application.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml

Next, make sure your PC is configured to show hidden files. Here is how to do this:

Windows 98

* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck Hide file extensions of known file types.
* Click OK.

Here is a link for further explanation: http://www.xtra.co.n...1916458,00.html

Delete the following file/files marked in blue (if they exist):

C:\WINAMP.EXE

Delete the following folder/folders marked in blue (if they exist):

C:\Program Files\TETRIS 2000 (that is, the folder that contains the "morfitwebentrance.exe" executable file.)

Finally, go to the Start Menu, click "Run", and in the window type cleanmgr. This will run the System Cleanup program. Make sure the box next to "Temporary files" is checked, and then click "OK".

Restart your computer, in normal mode, and then please post a new HijackThis log.

In addition, let me know in detail how your computer system is running after performing the above steps.

Edited by rambro, 20 July 2005 - 01:58 PM.

[rambro]

Dear cryptopsy,

(Note: Do the following steps in this post after performing the steps in the previous post I sent you.)

I would like you to download a number of programs to your computer that will check for bad, hidden, files that the HijackThis program may not recognize.

Please download SilentRunners from here: http://www.silentrun...ent Runners.zip. Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile in a reply to this post.

Please download the free MWAV antivirus tool from here: ftp://ftp.microworldsystems.com/download/tools/mwav.exe. Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window in a reply to this post.

Please restart your computer and then post a new HijackThis log, along with the log from the SilentRunners application and the log from the MWAV antivirus tool application.

In addition, let me know in detail how your computer system is running after performing the above steps.

[cryptopsy]

Thank you again for responding quickly. Firstly, i followed the instructions of your first post and did the required things with no problems. I then downloaded Silent Runners but could not use it due to getting the following message:

Windows Script Host
Script: C:\Windows\Desktop\Silent Runners.vbs
Line: 84
Char: 13
Error: Could not create object named "WScript.Shell".
Code: 80040154
Source: WScript.CreateObject

I then skipped that and downloaded the MWAV virus tool. After restarting my computer, it was having the same problems as before. I couldn't access Cleanup, Adaware and Spybot due to receiving the following message:

A required DLL file C:\Windows\System\WININET.DLL was not found

I then tried to open internet explorer and got the same error message as before:

EXPLORER caused an exception c06d007eH in module URLMON.DLL at 017f:702d9ac0.
Registers:
EAX=014bcb44 CS=017f EIP=702d9ac0 EFLGS=00000246
EBX=00000000 SS=0187 ESP=014bcae4 EBP=014bcb38
ECX=d4653fe0 DS=0187 ESI=70305540 FS=0fdf
EDX=818104a4 ES=0187 EDI=00000000 GS=0000
Bytes at CS:EIP:
8b 45 d4 e9 6e c8 fe ff 6a 08 e8 37 ba 02 00 3b
Stack dump:
00000200 014be41c 0000000a 00000024 70305540 703090f0 703055e0 00000001 70305ccc 00000000 00000000 00000002 00000824 00000000 70309760 70309064

I then tried restoring wininet.dll and it said it restored successfully like previous attempts. However this time, i COULD enter and use internet explorer with no problems, without receiving the 2nd error message that i had previously been receiving of:

EXPLORER caused an invalid page fault in
module <unknown> at 0000:00000009

Upon restarting my computer, i noticed the command prompt to delete wininet.dll in the startup screens, and i was back to receiving the error messages when trying to enter internet explorer and the various cleanup programmes.

Due to not being able to use Silentrunners i obviously have no log for that.


My log for hijackthis is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 17:22:04, on 21/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MOUSE\AMOUMAIN.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\GEOFF\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\w6tq86az.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5CNetscapeSearch.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\w6tq86az.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NInit] C:\Program Files\Norton SystemWorks\Norton Uninstall\NINIT.EXE
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [DLF_00001000] C:\WINDOWS\SYSTEM\Vcdlf.exe /c
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs6.chat.yaho...m/v/yacscom.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.fhm.com/g.../zoomify138.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab



My log from MWAV is as follows:

Object "altnet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "isearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "perfectnav Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdServX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\scrrun.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\MusicMatch\MusicMatch Jukebox\ATL.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WinAdServX.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0CF774D1-F077-11D1-B1BC-00C04F86C324}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}" refers to invalid object "C:\WINDOWS\SYSTEM\SCRRUN.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DB40C160-09A1-11D3-BAF2-000000000000}" refers to invalid object "C:\Program Files\ICQ\IExplorerMime.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f802f260-519b-11d1-bb5d-0060974c6013}" refers to invalid object "C:\Program Files\ICQ\ICQShell.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EDDC2226-92A4-11D2-88F2-00104B3E670E}" refers to invalid object "C:\PROGRA~1\ICQ\AGENT\ICQWEB~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{19A34456-852D-11D2-88E8-00104B3E670E}" refers to invalid object "C:\PROGRA~1\ICQ\AGENT\ICQWEB~1.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BC55995C-D9F9-11D2-8A45-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQFTLIB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BC55995F-D9F9-11D2-8A45-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQFTLIB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ABA40B01-DDD6-11D1-B674-006097E1E294}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQSMLIB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A25884D1-CFF7-11D2-8A42-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQSMLIB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7392459A-C4AC-11D2-BF33-00104B2794E7}" refers to invalid object "C:\PROGRA~1\ICQ\MCTICKER.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{73924599-C4AC-11D2-BF33-00104B2794E7}" refers to invalid object "C:\PROGRA~1\ICQ\MCTICKER.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D116A2F3-8380-11D2-A147-00104B9B4C0E}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQP3C.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5D28581-CA46-11d2-A150-00104B9B4C0E}" refers to invalid object "C:\PROGRAM FILES\ICQ\POP3.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D26BB11A-2890-11D3-AF1A-0090270D8D35}" refers to invalid object "C:\PROGRA~1\ICQ\STREAM~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{483BE501-E42A-11D1-B679-006097E1E294}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\GREETING\ICQGREET.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C116523-3028-11D2-8A05-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\GREETING\ICQGREET.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0C116522-3028-11D2-8A05-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\GREETING\ICQGREET.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FEA9C971-B6B6-11D2-8A38-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\GREETING\ICQGREET.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0659DDD1-FAC8-11D2-ACB6-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQUNKNW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{31D6F701-0B27-11D3-ACB8-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQUNKNW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{30C8A6E1-351E-11D2-8A0B-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQUNKNW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{302B93B5-9014-11D2-ACA5-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQUNKNW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E37C97F1-904F-11D2-ACA5-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQUNKNW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6E8A9A21-BE9A-11D2-ACAE-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQUNKNW.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C031D0D1-312C-11D2-8A09-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\VOICEMESSAGE\ICQVOICE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9C457A31-C68D-11D2-8A3C-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\VOICEMESSAGE\ICQVOICE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{980556F1-3128-11D2-8A09-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\VOICEMESSAGE\ICQVOICE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{08D781E1-3129-11D2-8A09-00104B9B48AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\VOICEMESSAGE\ICQVOICE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E9AF8C17-BB5B-11D2-ACAE-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\VOICEMESSAGE\ICQVOICE.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{36C1F411-ABB1-11D2-ACA8-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\EICQ.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{36C1F412-ABB1-11D2-ACA8-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\EICQ.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{36C1F413-ABB1-11D2-ACA8-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\EICQ.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{25516251-CFE3-11D2-ACB0-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\EICQ.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{25516252-CFE3-11D2-ACB0-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\EICQ.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E9AF8C14-BB5B-11D2-ACAE-00104BBC2B53}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQALINV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CC772B71-2F0C-11D3-AF13-0090270D89AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQALINV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CC772B72-2F0C-11D3-AF13-0090270D89AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQALINV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB5122E3-2F91-11D3-AF14-0090270D89AB}" refers to invalid object "C:\PROGRAM FILES\ICQ\ICQALINV.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F3D4E5C2-4990-11D3-ADDF-0090271A8BEA}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\ICQMAIL\ICQMAIL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{104DD9C3-402D-11D3-AF32-0090271A8BEA}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\ICQMAIL\ICQMAIL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{104DD9C5-402D-11D3-AF32-0090271A8BEA}" refers to invalid object "C:\PROGRAM FILES\ICQ\PLUGINS\ICQMAIL\ICQMAIL.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99B4815C-2008-11d3-AF17-0090270D6DEC}" refers to invalid object "C:\PROGRA~1\ICQ\ALAGENT.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}" refers to invalid object "C:\WINDOWS\SYSTEM\MFC42.1". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}" refers to invalid object "C:\WINDOWS\SYSTEM\MFC42.1". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}" refers to invalid object "C:\WINDOWS\SYSTEM\MFC42.1". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DCB06047-D907-11D1-9DF0-006097E09FDB}" refers to invalid object "C:\PROGRA~1\CASINO~1\CHIPCTRL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DCB06046-D907-11D1-9DF0-006097E09FDB}" refers to invalid object "C:\PROGRA~1\CASINO~1\CHIPCTRL.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{43D94B25-2B3C-4635-93DE-3240327DC9CD}" refers to invalid object "C:\PROGRA~1\MESSEN~1\MCMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0B76AB44-9926-48b3-8738-D864D8E1BE5F}" refers to invalid object "C:\PROGRA~1\MESSEN~1\MCMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A1491A15-2BFE-4094-B631-2871FCD35B3B}" refers to invalid object "C:\PROGRA~1\MESSEN~1\MCMESS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2482B240-E979-11D9-9A77-4445726C1340}" refers to invalid object "C:\WINDOWS\SYSTEM\KFFA.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}" refers to invalid object "C:\WINDOWS\SYSTEM\COMCT232.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F6F8D20-1B7D-11CF-9D53-00AA003C9CB6}" refers to invalid object "C:\WINDOWS\SYSTEM\COMCT232.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{026371C0-1B7C-11CF-9D53-00AA003C9CB6}" refers to invalid object "C:\WINDOWS\SYSTEM\COMCT232.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{030B4A80-1B7C-11CF-9D53-00AA003C9CB6}" refers to invalid object "C:\WINDOWS\SYSTEM\COMCT232.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{030B4A82-1B7C-11CF-9D53-00AA003C9CB6}" refers to invalid object "C:\WINDOWS\SYSTEM\COMCT232.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{030B4A81-1B7C-11CF-9D53-00AA003C9CB6}" refers to invalid object "C:\WINDOWS\SYSTEM\COMCT232.OCX". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_88.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_34.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall4_94.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_20.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_10.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_38.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\FSG.exe tagged as "not-a-virus:AdWare.Gator.1050". Action Taken: No Action Taken.

[cryptopsy]

Don't know whether this matters but extra info can't harm anything. I restarted my computer and restored wininet.dll as per usual to see if internet explorer was still working upon restoration of the file. Internet explorer was up and running again like i said in my last post, however this time if i searched for an address in the address bar or clicked on one of my favourite's nothing happened. It loaded my homepage www.yahoo.com fine and it allowed me to search within yahoo or click on a link from yahoo.com. It also allowed me to open up external pages which were results from a yahoo search. However if i right clicked a link and said open in new window, it would open up a blank page with nothing on it. I restarted my computer several times and repeated this process with the same results.

Also, something i have not mentioned yet to do with outlook express which i noticed yesterday when trying to use it. Even before i restored wininet.dll i could still open outlook express and receive and send messages. However after clicking on a message or two in my inbox it would say the following error message similar to internet explorer:

MSISM performed an illegal operation and will be shut down

Its details were as follows:

MSIMN caused an exception c06d007eH in module URLMON.DLL at 017f:702d9ac0.
Registers:
EAX=0056d3dc CS=017f EIP=702d9ac0 EFLGS=00000246
EBX=00000000 SS=0187 ESP=0056d37c EBP=0056d3d0
ECX=d4635640 DS=0187 ESI=70305540 FS=129f
EDX=81838f68 ES=0187 EDI=00000000 GS=128e
Bytes at CS:EIP:
8b 45 d4 e9 6e c8 fe ff 6a 08 e8 37 ba 02 00 3b
Stack dump:
00000824 00464f54 00000000 00000024 70305540 703090ac 703055e0 00000001 70305b3a 00000000 00000000 00000002 00468644 81838f08 70309760 70309064


Upon restoration of wininet.dll, outlook express works fine and the error message never comes up when looking at previous messages.

[rambro]

Dear cryptopsy,

You may want to print out these instructions or save them as a text file with "Notepad" to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
******************************

Please download the Killbox. Unzip it to the desktop but do NOT run it yet.

Please reboot your computer into Safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). For additional help in booting into Safe Mode, see the following site: http://www.pchell.co.../safemode.shtml
*****************************************************

1) Once in Safe Mode, please run Killbox.

2)In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

3) Select "Delete on Reboot".

4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:


C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_34.exe
C:\WINDOWS\NDNuninstall4_94.exe
C:\WINDOWS\NDNuninstall5_20.exe
C:\WINDOWS\NDNuninstall5_40.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\NDNuninstall6_10.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\SYSTEM\FSG.exe


5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Now you will see, this is pasted in the "Full Path of File to Delete" field. There's a little arrow (dropdown-arrow) next to that field. If you expand it, these lines must be there together!

6) Click the red-and-white "Delete File" button.
Click "Ok" at the Delete on Reboot prompt.
Click "Ok" at the Reboot needed prompt.

Restart your computer in normal mode.

As a double check, see if some of the above files were in fact deleted and let me know if they were deleted.
*************************************************

Let me know in detail, in a reply to this post, if you could run Cleanup, Adaware, Spybot, SilentRunners and the MWAV antivirus tool application.
Let me know, if you are still having a problem with the wininet.dll file, that is, if it is still being deleted on reboot.
Let me know, if your Internet Explorer browser is functioning correctly.

Please restart your computer and then post a new HijackThis log, along with the log from the SilentRunners application and the log from the MWAV antivirus tool application.

In addition, let me know in detail how your computer system is running after performing the above steps.