Jump to content


Photo

IE Behaving Strangely


  • Please log in to reply
9 replies to this topic

#1 hijacked

hijacked

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 24 May 2004 - 04:34 PM

Recently, my IE 5.5 running on Win95 started to behave strangely.
The symptoms are:

1. It seems to take much longer than before to load.
2. After it's loaded, it seems to take much longer than
before to load web pages.
3. Sometimes, it hangs in the middle of loading.
4. Whenever #3 occurs, I have to use CTRL-ALT-DELETE to terminate
the suspended IE process. Then when I try to shutdown the
computer, it won't shut down normally, unless I power off the PC.

I've performed the following:

1. Ran TrendMicro's online virus scan (clean).
2. Ran Spybot (clean).
3. Ran Hijackthis (see logfile below).
4. Ran CWShredder (clean).

I have a feeling my IE somehow got corrupted, but I have no
idea what else to do.

Thank you for your help,

Peter

============================================

Logfile of HijackThis v1.97.7
Scan saved at 1:39:32 PM, on 5/24/2004
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\CPIEXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\DMI\SIA\BIN\CSERVICE.EXE
C:\DMI\sia\bin\os_ac.exe
C:\DMI\sia\bin\pnp_ac.exe
C:\AVSUITE\AS2\AS2TRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\DMI\sia\bin\swi_ac.exe
C:\WINDOWS\SYSTEM\HPHA1MON.EXE
C:\DMI\sia\bin\dmib_ac.exe
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\DMI\sia\bin\logic_ac.exe
C:\WINDOWS\WJVIEW.EXE
C:\WINDOWS\TEMP\MSBB.EXE
C:\DMI\sia\bin\sprof_ac.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\DMI\win16\bin\WINSL.EXE
C:\OFFICE97\OFFICE\FINDFAST.EXE
C:\TOOLS_95\IMGICON.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NSCHED32.EXE
D:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\WEBSAVINGSFROMEBATES\WEBSAVINGSFROMEBATES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MindSpring Enterprises
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: load=srsapp.exe
F1 - win.ini: run=cservice.exe hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\peter\prefs.js)
O2 - BHO: (no name) - {297caf50-e4f7-11d1-a380-00600896eccc} - D:\PROGRA~1\SEGUE\SILKTEST\QAPHLPR.DLL
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\SYSTEM\MSHELPER.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [VoyetraAudioStation2] C:\AVSUITE\AS2\AS2TRAY.EXE
O4 - HKLM\..\Run: [NAPopup] C:\RealTime\Setup\naudiort\None\napopup.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\SYSTEM\HPHA1MON.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] D:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [oneb] C:\WINDOWS\oneb.exe
O4 - HKLM\..\Run: [ajqt] C:\WINDOWS\ajqt.exe
O4 - HKLM\..\Run: [ixmbgh] C:\WINDOWS\ixmbgh.exe
O4 - HKLM\..\Run: [qvixiv] C:\WINDOWS\qvixiv.exe
O4 - HKLM\..\Run: [ber] C:\WINDOWS\ber.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Find Fast.lnk = C:\office97\Office\FINDFAST.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Norton Program Scheduler.lnk = D:\Program Files\Norton SystemWorks\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
O12 - Plugin for .WMV: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - WWW. Prefix: http://
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#2 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 25 May 2004 - 01:23 AM

Ok, can you run CWShredder in safe mode? But please make sure it's updated before you do. If I were this infected I would of ... Well.. I dunno but I would of something :p

Also, before booting in safe mode, please check and have hijackthis fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: load=srsapp.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [msbb] c:\windows\temp\msbb.exe
O4 - HKLM\..\Run: [oneb] C:\WINDOWS\oneb.exe
O4 - HKLM\..\Run: [ajqt] C:\WINDOWS\ajqt.exe
O4 - HKLM\..\Run: [ixmbgh] C:\WINDOWS\ixmbgh.exe
O4 - HKLM\..\Run: [qvixiv] C:\WINDOWS\qvixiv.exe
O4 - HKLM\..\Run: [ber] C:\WINDOWS\ber.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O13 - DefaultPrefix: c:\searchpage.html?page=
O13 - WWW Prefix: c:\searchpage.html?page=
O13 - WWW. Prefix: http://
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=

Now, please start in safe mode by tapping the F8 button several times as you are booting up....

Then search for and delete the following files or folders:
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\SYSTEM\A.EXE
C:\Program Files\WebSavingsfromEbates
C:\Program Files\Bargain Buddy\bin\bargains.exe
c:\windows\temp\msbb.exe
C:\WINDOWS\oneb.exe
C:\WINDOWS\ajqt.exe
C:\WINDOWS\ixmbgh.exe
C:\WINDOWS\qvixiv.exe
C:\WINDOWS\ber.exe


While in safe mode, run cwshredder and adaware again.. Also, I recommend uninstalling your pop up blockers and internet optimizer ...I highly recommend toolbar.google.com - you get a great popup blocker as well as very convenient search.

Go to START>.ALL PROGRAMS..ACCESSORIES>>SYSTEM TOOLS>> DISK CLEAN UP>> and clean everything...Especially TEMP folder.


Reboot.. then redo the online virus scans.. Also, I would check and see if there are any updates you might be missing.. Especially for your version of IE.. i don't know if EIN 95 would have any lol
HERE: http://v4.windowsupd.../en/default.asp


After This, Reboot and Post a Fresh HijackThis log.
And well take it from there =)

Edited by irelynnmisses, 25 May 2004 - 01:24 AM.

FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#3 hijacked

hijacked

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 25 May 2004 - 09:44 PM

Hello irelynnmisses,

Thank you very much for taking the time to respond to my posting.

Per your instruction, I re-ran hijackthis to try to clean up the entries that you flagged. However, hijackthis ran through without reporting any errors and without cleaning up those entries.

That being the case, how should I proceed? Should I continue with CWShredder in safe mode? By the way, what's the difference between running CWShredder in safe mode and running it within Windows (which I've done already with no errors?

Thank you very much,

Peter

#4 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 25 May 2004 - 11:06 PM

While in safe mode only minimal stuff is loaded for you to run your PC.. sometimes it catches things that are not in use because your in safe mode.. Once you perform all those fixes.. please post a fresh hijacklog so we can finish everything up.. there might be more to go :)

Edited by irelynnmisses, 25 May 2004 - 11:11 PM.

FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#5 hijacked

hijacked

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 26 May 2004 - 07:51 PM

Hello irelynnmisses,

I think you solved my problem! Please read below for the details.

Thanks very much for your clarification on the use of safe mode. I understand the logic behind it now.

I must apologize for not completely understanding what you meant by "please check and have hijackthis fix these entries." In the past, I would always run CWShredder immediately after running Hijackthis, without checking any of the boxes in Hijackthis. It finally dawned on me this morning that you were trying to tell me to check the appropriate boxes for those entries that you had flagged. I finally realized I was supposed to then click the "Fix Checked" button.

Anyway, I ran Hijackthis and cleaned up all the suspect entries. Then I booted up in safe mode to try to delete the files and folders you had flagged. That's when the system gave me a message that said my registry may be bad and asked me if I want to restore the old registry. Naturally, I clicked, yes, I want to restore the registry. However, upon booting up normally next time and runnning Hijackthis, most of the previously deleted entries reappeared. So, I proceeded to re-check the boxes for the suspect entries and again clicked, "Fix Checked."

This time I decided to boot up normally. While in Win95, I manually deleted those files and folders under C:\WINDOWS. After I re-booted, IE seems to behave normally. No more sluggishness and no more occasional hanging!

THANK YOU! THANK YOU! THANK YOU!

Again, I apologize for being a newbie and not understanding what you said the first time around. In the future in case I run into the same problem again, do you have any suggestions on how I can avoid the bad registry error message when I boot up in safe mode?

Again, many thanks for your help. I will post a fresh copy of the Hijackthis logfile soon.

Peter

#6 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 26 May 2004 - 09:57 PM

I don't know why you would get hte message.. but you shouldn't get it lol

ANyhow.. please post your new log when finished with the following steps:

Download and install-

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, then again, you know this and then just occasionally to check for updates.
I highly recommend toolbar.google.com - you get a great popup blocker as well as very convenient search.


Is your norton up to date? if not I can recommend a free anti-virus for you.
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#7 hijacked

hijacked

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 27 May 2004 - 02:07 AM

irelynnmisses,

My PC seems to be back to normal now. IE is running very smoothly.
Here's the clean log file.

Thank you again for your generous help! I can :-) again.

Peter
============================================

Logfile of HijackThis v1.97.7
Scan saved at 10:39:19 PM, on 5/26/2004
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\CPIEXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\DMI\SIA\BIN\CSERVICE.EXE
C:\DMI\sia\bin\os_ac.exe
C:\DMI\sia\bin\pnp_ac.exe
C:\AVSUITE\AS2\AS2TRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\HPHA1MON.EXE
C:\DMI\sia\bin\swi_ac.exe
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\DMI\sia\bin\dmib_ac.exe
C:\DMI\sia\bin\logic_ac.exe
C:\DMI\sia\bin\sprof_ac.exe
C:\DMI\win16\bin\WINSL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\OFFICE97\OFFICE\FINDFAST.EXE
C:\TOOLS_95\IMGICON.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NSCHED32.EXE
D:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MindSpring Enterprises
F1 - win.ini: run=cservice.exe hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\peter\prefs.js)
O2 - BHO: (no name) - {297caf50-e4f7-11d1-a380-00600896eccc} - D:\PROGRA~1\SEGUE\SILKTEST\QAPHLPR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [VoyetraAudioStation2] C:\AVSUITE\AS2\AS2TRAY.EXE
O4 - HKLM\..\Run: [NAPopup] C:\RealTime\Setup\naudiort\None\napopup.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\SYSTEM\HPHA1MON.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] D:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [ubmzgj] C:\WINDOWS\ubmzgj.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Find Fast.lnk = C:\office97\Office\FINDFAST.EXE
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Norton Program Scheduler.lnk = D:\Program Files\Norton SystemWorks\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
O12 - Plugin for .WMV: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#8 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 27 May 2004 - 02:54 PM

You should fix this one...
O4 - HKLM\..\Run: [ubmzgj] C:\WINDOWS\ubmzgj.exe


And your internet optimizer really isn't worth keeping but it's your decision.

Then reboot and delete this file or folder:

C:\WINDOWS\ubmzgj.exe

These are optional but would speed up your PC... You can still access them thrue your start menu.

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - Startup: Microsoft Find Fast.lnk = C:\office97\Office\FINDFAST.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl

Other than that.. I don't see anything else.. unless someone else does.. But You look clean to me :)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#9 hijacked

hijacked

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 May 2004 - 03:30 AM

irelynnmisses,

Ok, I did everything you suggested. I think my PC is squeaky
clean now.

Many thanks for your help,

Peter


==============================================
Logfile of HijackThis v1.97.7
Scan saved at 12:31:23 AM, on 5/29/2004
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\CPIEXE.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\DMI\SIA\BIN\CSERVICE.EXE
C:\DMI\sia\bin\os_ac.exe
C:\DMI\sia\bin\pnp_ac.exe
C:\AVSUITE\AS2\AS2TRAY.EXE
C:\WINDOWS\SYSTEM\HPHA1MON.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\DMI\sia\bin\swi_ac.exe
C:\DMI\sia\bin\dmib_ac.exe
C:\DMI\sia\bin\logic_ac.exe
C:\TOOLS_95\IMGICON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\DMI\sia\bin\sprof_ac.exe
C:\DMI\win16\bin\WINSL.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NSCHED32.EXE
D:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MindSpring Enterprises
F1 - win.ini: run=cservice.exe hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\peter\prefs.js)
O2 - BHO: (no name) - {297caf50-e4f7-11d1-a380-00600896eccc} - D:\PROGRA~1\SEGUE\SILKTEST\QAPHLPR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AtiKey] Atikey32.exe
O4 - HKLM\..\Run: [VoyetraAudioStation2] C:\AVSUITE\AS2\AS2TRAY.EXE
O4 - HKLM\..\Run: [NAPopup] C:\RealTime\Setup\naudiort\None\napopup.exe
O4 - HKLM\..\Run: [PowerQuest Startup Utility] C:\Program Files\PowerQuest\PartitionMagic5\UTILITY\MMOVER32\PQINIT.EXE
O4 - HKLM\..\Run: [HPHA1MON] C:\WINDOWS\SYSTEM\HPHA1MON.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] D:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\IMGICON.EXE
O4 - Startup: Norton Program Scheduler.lnk = D:\Program Files\Norton SystemWorks\Norton AntiVirus\NSCHED32.EXE
O4 - Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPQTW32.DLL
O12 - Plugin for .WMV: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#10 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 30 May 2004 - 12:14 AM

You look fine to me.. I hope all is well :)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button