Jump to content


Photo

HELP PLEASE!


  • Please log in to reply
8 replies to this topic

#1 jahrim

jahrim

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 06:54 PM

I am new to this, and I was reccommended to come here and check with you guys so hopefully you can help me.

So heres the problem:

Everytime I go to google, yahoo etc. and type in the search bar, it freezes. The same thing happens when I try and type in username and passwords at websites. I also freezes when I click buttons. For example, when I hit the button to submit my password and username (which also froze when I put those in) it froze AGAIn. It took me 5 minutes to log in here!!!:eek:. I have my hijack log below. Hopefully you guys can help.

Thanks a bunch in advance


Here is the log:


Logfile of HijackThis v1.97.7
Scan saved at 7:54:48 PM, on 6/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\PROGRAM FILES\XEROX\PAGIS\MONITOR.EXE
C:\PROGRAM FILES\XEROX\PAGIS\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hispeed.rogers.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Pagis Scheduler.lnk = C:\Program Files\Xerox\Pagis\Monitor.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Xerox\Pagis\Ereg\REMIND32.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: IEToolbarCab - http://www.animetool...ailyToolbar.CAB
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com/...12802/msits.exe

#2 Starwaves

Starwaves

    Member

  • Full Member
  • Pip
  • 34 posts

Posted 03 June 2004 - 09:08 PM

Hi,

Run your Hijack scan again and check all of the following entries, then click on 'FIX' ...

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html

O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.008i.com/...12802/msits.exe

O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)

------>

Click on Start / Programs / Ms Dos Prompt

At the blinking cursor type the following commands and hit enter after each:
Deltree temp
Deltree tempor~1


You'll get a question from windows asking ' delete temporary internet files and all of it's subdirectories?' .... y/n choose y for YES, for both of them,

Note: this character ~ to the left of numeral 1 on keyboard,

See if it works better and post back,

;)

#3 jahrim

jahrim

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 June 2004 - 05:43 AM

Hey thanks starwaves for your help, but it didnt seem to work. The computer is still freezing when I hit buttons like "submit" or "add reply" Etc. When I post this, it freezes.

Thanks again, and I hope we can find a solution.

#4 jahrim

jahrim

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 June 2004 - 05:47 AM

now its only mainly doing it at a website i visit frequently called:

www.tournawiz.com

I run a tennis league, and it is vital for me to get into this website to create and post draws.

Thanks again for all your help...

#5 jahrim

jahrim

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 June 2004 - 09:32 PM

ok...so it started doing it again. It keeps freezing when ever i have to press a button on a webpage...please help!

Thanks

#6 jahrim

jahrim

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 June 2004 - 04:42 PM

i tried using both the spyware removal programs, it found some new stuff, and I fixed them, but the problem still occurs.

ANyhelp is greatly appritiated!

#7 jahrim

jahrim

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 June 2004 - 09:53 PM

Bump!

#8 BugabooBob

BugabooBob

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 10:02 AM

Jahrim,

I'm not sure if you're still having that problem or not, but here's some info for you that might help.

I run two separate PCs. One with virus protection and a firewall, the other without either. They both run with identical operating systems, Win-98 second edition. So logically, all of my windows and systems files should remain the same on both machines.

The reason I do this is to trouble-shoot problems such as you're having. I had similar problems, with my browser freezing up, my home-page constantly resetting to something other than what I had it set for, and endless pop-ups telling me that spyware had been detected on my PC, and it could be cured for $29.95. The problem is, the guy CAUSING these pop-ups was most likely the same guy who planted the bug in my machine.

To find out why this was happening, I did a fresh re-install of Win-98 in two machines - - protected one, but not the other.

What I found was that certain web pages (usually 'adult' in nature), were trying to download two application files into my PC. They are: MSITS.EXE and MSHTA.EXE.

In my protected machine, these files slipped right by my virus software, but WERE caught by my firewall. Hence, you need both in order to protect your PC.

In the un-protected PC, I never even knew that anything had been downloaded. I was on a page that simply seemed to be loading slow - but my hard drive was humming away, writing something. And then the problems started.

I found that MSHTA.EXE is basically a "timer" which works with your system clock. It seems to determine a specific date and time to activate the other file, MSITS.EXE. The command-string in the timer-file, MSHTA.EXE, has the potential to be set as a variable. Anywhere from 0 days and 1 minute, to several months, hours, and days.

But once MSITS was set off, it changed four critical Windows files that are essential for smooth operation: AUTOEXEC.BAT; CONFIG.SYS; COMMAND.COM; and SYSTEM.INI. These four files were changed in my infected machine at the exact same time MSITS.EXE was executed. And no back-ups were saved.

Once MSITS runs, there seems to be no way in hell to get rid of it without a fresh re-install of your OS. I believe it embeds itself in the Registry itself.

Here's my recommendation: First, download a free Registry Checker to run a diagnostics on your PC. There are quite a few of them out there that will diagnose your problems, but won't repair them unless you buy the software. But you don't want to buy it - - you just want to see if you have any Registry problems.

If you do, save all your user files to disks or CDs, and then do a complete re-install of your OS. Then, go to http://www.grisoft.com and download their free virus software. It works great and doesn't cost anything.

THEN, go to http://www.zonealarm.com and download their free version of Firewall.

My protected PC hasn't had a problem since, and I believe this will solve your problems as well.

Bob

#9 BugabooBob

BugabooBob

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 27 June 2004 - 10:08 AM

Oh,,,,

And if you look at the very last line of your "HijackThis" log, you'll find that you do indeed have MSITS.EXE on your machine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button