• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
thirtydash

res://ewqtt.dll/index.html#96676 -- my HJT log

9 posts in this topic

:scratchhead: Here's my HJT log. I've already run AdAware, Hijack This (and fixed the R0s and R1s and "random" O4's and O2's), ABout: Buster, and Spybot, all in safe mode. Once I rebooted, it came back. Here's my HJT log after i rebooted and it was back.

 

MY QUESTION: what do I delete (i thought i knew)--am I supposed to delete that BHO?

 

Thanks for any and all help. I've been dealing with this for 6 days, about three hours a day reading all the forums and posts. I hope to give this forum to other people if they experience problems with the res//random hijacker.

 

******************

Logfile of HijackThis v1.98.0

Scan saved at 4:05:11 PM, on 7/22/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ewqtt.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {09114324-572D-938E-3A14-BA713F52127F} - C:\WINNT\iepc.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [mfcdx.exe] C:\WINNT\mfcdx.exe

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

 

END OF LOG

 

I won't be back in the forum for another 18 hours. Just wanted to get this up here cuz I know there's a backlog....

Share this post


Link to post
Share on other sites

Check to make sure you have the most recent version of About:buster.

Then boot into safe mode and run another hijackhtis scan. Fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ewqtt.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {09114324-572D-938E-3A14-BA713F52127F} - C:\WINNT\iepc.dll

O4 - HKLM\..\Run: [mfcdx.exe] C:\WINNT\mfcdx.exe

Then run about:buster.

 

Next boot back into normal mode and post your About:buster report and a new hijackthis log.

Share this post


Link to post
Share on other sites

Hey Racktracker, thanks for helping me. Thank god this forum exists and you're willing to help...I never would have figured this out.

 

--I have the latest version of About Buster.

 

Per your instructions, I booted in safe mode, ran HijackThis and went to fix the lines you instructed me to. After clicking the boxes and hitting fix, I got the following error report:

 

An unexpected error has occurred at procedure: cmdFix_Click()

Error #75 - Path/File access error (30 items in results list)

 

Please email me at merijn@spywareinfo.com, reporting the following:

* What you were doing when the error occurred

* How you can reproduce the error

* A complete HijackThis scan log, if possible

 

Windows version: Windows NT 5.00.2195

MSIE version: 6.0.2800.1106

HijackThis version: 1.98.0

 

 

Here's the log from my fix attempt in Hijack This. Any idea how I can get to the next step (fixing the files I checkmark)--do I need to email merijn@spywareinfo.com as the error message requested?

 

Thanks, I'll be on the lookout for you post today...thanks again (bowing from the waist humbly).

 

*************************

Logfile of HijackThis v1.98.0

Scan saved at 10:48:50 AM, on 7/23/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ewqtt.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {09114324-572D-938E-3A14-BA713F52127F} - C:\WINNT\iepc.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [mfcdx.exe] C:\WINNT\mfcdx.exe

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

End of Log.

Share this post


Link to post
Share on other sites

Does this error hapen when you try to fix items in normal mode?

 

Go ahead and send the particulars to Merijn.

He has been busy recently and may not have the time to look into it.

 

Download hijackthis version 1.97.7 here.

http://tomcoyote.com/hjt/

 

Unzip it to a permanent folder.

This is an older version and should work fine for this.

 

Check to make sure you have the most recent Adaware update.

 

Now boot to safe mode.

 

Run a hijackthis scan (use version 1.97.7) place a check next the following entries, then click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ewqtt.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\ewqtt.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\ewqtt.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ewqtt.dll/index.html#96676

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {09114324-572D-938E-3A14-BA713F52127F} - C:\WINNT\iepc.dll

O4 - HKLM\..\Run: [mfcdx.exe] C:\WINNT\mfcdx.exe

Then locate the following files and delete them.

C:\WINNT\ewqtt.dll

C:\WINNT\iepc.dll

C:\WINNT\mfcdx.exe

 

Now run about:buster.

 

Then open adaware.

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot into normal mode.

 

Then run this online scan.

http://housecall.trendmicro.com/

 

Finally reboot and run another hijackthis scan and post your new log here.

Share this post


Link to post
Share on other sites

i'm sorry it takes me so long to reply and follow up...i work a lot and can't get on my home computer. thanks (the 10th power) for your patience.

 

i followed your directions to the letter. here is my new log:

 

***************

Logfile of HijackThis v1.97.7

Scan saved at 12:08:46 PM, on 7/26/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fjxdn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fjxdn.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fjxdn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fjxdn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fjxdn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\fjxdn.dll/sp.html#96676

F1 - win.ini: load=C:\OPLIMIT\ocraware.exe

O2 - BHO: (no name) - {09114324-572D-938E-3A14-BA713F52127F} - C:\WINNT\iepc.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe

O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"

O4 - HKLM\..\Run: [javavc32.exe] C:\WINNT\javavc32.exe

O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe

O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

*******************

 

i deleted the BHO AND located and deleted the iepc.dll file, and it's back....of course the hijcak is back with its new name. i feel like there is an .exe or a .dat or .dll not showing up in hijack this that is generating it's return, but i have no idea how to find it. i also have no idea what i'm talking about, so i could be wrong. what next? thanks again!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Share this post


Link to post
Share on other sites

also, i am not getting the Error #75 in Hijack This anymore..only happened once, so that's good.

 

should i try to kill the BHO with software like KillBox?

Edited by thirtydash

Share this post


Link to post
Share on other sites

We'll give this another shot with this method, if it doesn't work I have another idea.

 

Locate these two files.

C:\WINNT\iepc.dll

C:\WINNT\javavc32.exe

 

Zip them up and email them along with a link to this thread to THIS address.

 

Check to make sure you have the most recent version of about:buster (3.1 last I checked) unzip it to your desktop.

http://www.downloads.subratam.org/AboutBuster.zip

 

Boot into safe mode. Have hijackthis fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fjxdn.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://fjxdn.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://fjxdn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\fjxdn.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://fjxdn.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\fjxdn.dll/sp.html#96676

O2 - BHO: (no name) - {09114324-572D-938E-3A14-BA713F52127F} - C:\WINNT\iepc.dll

O4 - HKLM\..\Run: [javavc32.exe] C:\WINNT\javavc32.exe

Then locate these files and delete them. You can use the killbox to remove them if you like. Just be sure you copy the file and location correctly.

C:\WINNT\system32\fjxdn.dll

C:\WINNT\iepc.dll

C:\WINNT\javavc32.exe

 

Now run about:buster and perform a scan with adaware.

 

Then reboot into normal mode and run another hijackthis scan and post your new log here. Make sure you are posting a log from normal mode. Also save a post the About:buster report.

Share this post


Link to post
Share on other sites

:thumbsup: okay it's gone (at least, for now--after 5 succesful reboots and ventures into Internet Explorer).

 

I did exactly as you said...well, sort of. I had to go out of town for awhile, and while I was gone Ad Aware came out with the new version. I ran Hijack This in safe mode and fixed the items, then found the three files (iepc.dll, javavc32, etc.) and PROMPTLY deleted them and emptied the recycle bin. Then I ran About Buster (the newest version as of 8/11) and Ad Aware and deleted whatever adaware came up with. THEN, rebooted in normal mode, the res:// hijacker appeared to be gone and ran HJT in normal mode...nothing turned up!

 

I repeated the entire process again and have had nothing turn up--everything appears to be running normally, for about 24 hours now.

 

Maybe I was having trouble because I had an older version of About Buster.

 

Anyway, thanks a bunch, and thanks for your patience. Can you recommend a series of maintanence programs to run in the background while I'm on the net, or programs to run periodically, in order to keep crap like this off my computer in the future? There are so many anti-spyware programs that seem to target specific problems, but are there a few catch-all programs I can use for maintainence?

 

Thanks again for your help. Could NOT have done this without your direction.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0