• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
heckerh

IE6 browser hijack

13 posts in this topic

My browser IE6.1 has been hijacked, similar to the information given on website: http://tomcoyote.com.

 

I have updated the latest patches to IE6 and all other security patches for Windows 98. Pop-up screens continue to occur while on IE6. The default screen is about:blank, not what placed into the tools block.

 

I have used Ad-Aware and Spybot (w/newest updates). I have not found any *.hta or *.js files that look like familiar spyware.

 

Here is the Hijack file.

 

Logfile of HijackThis v1.97.7

Scan saved at 11:43:10 PM, on 6/7/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

F:\COMPUSERVE\CS3\CS3.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

E:\PROGRAM FILES\OFFICE\OFFICE\FINDFAST.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

D:\COMPUSERVE\WBIN\FCSERV32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

F:\COMPUSERVE\DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\PFB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\PFB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\PFB.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\PFB.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\PFB.DLL/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\PFB.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT READER\READER\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O2 - BHO: (no name) - {20CA34FC-A40A-44FF-B24C-9042D1ADAF6E} - C:\WINDOWS\SYSTEM\PFB.DLL

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~2\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~2\SNDMON.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - Startup: Quicken Scheduled Updates.lnk = E:\Program Files\QuickenW\bagent.exe

O4 - Startup: Quicken Startup.lnk = E:\Program Files\QuickenW\QWDLLS.EXE

O4 - Startup: Microsoft Find Fast.lnk = E:\Program Files\OFFICE\Office\FINDFAST.EXE

O4 - Startup: Billminder.lnk = E:\Program Files\QuickenW\billmind.exe

O8 - Extra context menu item: Download with Go!Zilla - file://E:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html

O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: SideStep (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7888.7340162037

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab

 

 

 

Thanks in advance for help in cleaning up this mess.

H.D. Hecker

Share this post


Link to post
Share on other sites

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

 

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

 

Download 'Dllfix.exe' from here. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

 

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter. Let the program run. When finished, press 'E' to exit. Open the DLLFix folder. Post the contents of Output.txt in this thread.

Share this post


Link to post
Share on other sites

Neither Registrar Lite or Dllfix.exe worked. I failed to mention that I am using Windows 98.

 

When I ran Registrar Lite, I could not find the Appinit_Dll value on the screen. When I ran Dllfix.exe, it expected Windows 2000 or XP.

 

thanks.

 

H.D. Hecker

Share this post


Link to post
Share on other sites

:oops: and I failed to notice

 

Download StartDreck from here. Unzip to its own folder and start the program:

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

 

Press 'Ok'. Press 'Save' and select the location to save the log file (default is the same folder as the application). Post the log in this thread.

Share this post


Link to post
Share on other sites

Here is the log file after running StartDreck. Since last week, Adaware has posted 2 definition updates which appeared to only temporarily clear up the problem.

 

StartDreck (build 2.1.5 public BETA) - 2004-06-15 @ 22:46:11

Platform: Windows 98 (Win 4.10.1998 )

 

»Registry

»Run Keys

»Current User

»Run

»RunOnce

»Default User

»Run

»RunOnce

»Local Machine

»Run

*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun

*TaskMonitor=C:\WINDOWS\taskmon.exe

*SystemTray=SysTray.Exe

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*LexStart=Lexstart.exe

*EM_EXEC=C:\PROGRA~1\LOGITECH\MOUSEW~2\SYSTEM\EM_EXEC.EXE

*AdaptecDirectCD="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

*Microsoft WebServer=C:\Program Files\WebSvr\System\svctrl /init

*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

*ccRegVfy="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

*Advanced Tools Check=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE

*Symantec NetDriver Monitor=C:\PROGRA~1\SYMANTEC\LIVEUP~2\SNDMON.EXE

»RunOnce

»RunServices

*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

*SchedulingAgent=mstask.exe

*Microsoft WebServer=C:\Program Files\WebSvr\System\inetsw95 -w3svc

*NPROTECT=C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

*SymTray - Norton SystemWorks=C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

»RunServicesOnce

**tafn=rundll32 C:\WINDOWS\SYSTEM\RESCALB.DLL,StreamingDeviceSetup

»RunOnceEx

»RunServicesOnceEx

»File Associations (CR)

*.bat

*batfile="%1" %*

*.com

*comfile="%1" %*

*.disabled

*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1

*.exe

*exefile="%1" %*

*.hta

*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

*.htm

*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome

*.html

*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome

*.js

*JSFile=C:\WINDOWS\WScript.exe "%1" %*

*.pif

*piffile="%1" %*

*.scr

*scrfile="%1" /S

*.txt

*txtfile=C:\WINDOWS\NOTEPAD.EXE %1

*.vbs

*VBSFile=C:\WINDOWS\WScript.exe "%1" %*

*.wsh

*WSHFile=C:\WINDOWS\WScript.exe "%1" %*

*.lnk

`lnkfile= [key or value does not exist]

»Browser Helper Objects (LM)

*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

`InprocServer32=E:\PROGRAM FILES\ADOBE\ACROBAT READER\READER\READER\ACTIVEX\ACROIEHELPER.OCX

*SideStep Browser Helper/{08351226-6472-43BD-8A40-D9221FF1C4CE}

`InprocServer32=C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL

*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}

`InprocServer32=c:\windows\googletoolbar2.dll

*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}

`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll

*{247B5394-DB9B-462F-B9D1-B44A431BCB49}

`InprocServer32=C:\WINDOWS\SYSTEM\LPOLF.DLL

»Files

»Autostart Folders

»Current User

*C:\WINDOWS\Start Menu\Programs\StartUp\Quicken Scheduled Updates.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Quicken Startup.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Billminder.lnk

»Default User

*C:\WINDOWS\Start Menu\Programs\StartUp\Quicken Scheduled Updates.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Quicken Startup.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

*C:\WINDOWS\Start Menu\Programs\StartUp\Billminder.lnk

»Local Machine

»INI-Files

»WIN.INI\[windows]

*LOAD=

*RUN=

»SYSTEM.INI\[boot]

*SHELL=Explorer.exe

»Text Files

*C:\msdos.sys

*C:\config.sys

*C:\autoexec.bat

*C:\WINDOWS\dosstart.bat

*C:\WINDOWS\wininit.ini

*C:\WINDOWS\wininit.bak

»System/Drivers

»Running Processes

*FFEF64A7=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFF13C3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFF2473=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFF3DB3=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFF904B=C:\WINDOWS\SYSTEM\MSTASK.EXE

*FFFFA3EB=C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE

*FFFFAD3F=C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

*FFFE1DD7=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

*FFFE36C7=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

*FFFE7E8F=C:\WINDOWS\EXPLORER.EXE

*FFFEDA4B=C:\WINDOWS\RUNDLL32.EXE

*FFFC1A53=C:\WINDOWS\TASKMON.EXE

*FFFC2C67=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFBC99B=C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

*FFFBBAB3=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

*FFFA39E7=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

*FFF92043=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFF7B637=E:\PROGRAM FILES\OFFICE\OFFICE\FINDFAST.EXE

*FFFABFCB=C:\WINDOWS\SYSTEM\LEXBCES.EXE

*FFF94CEB=C:\WINDOWS\SYSTEM\RPCSS.EXE

*FFFB356F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFFCEA0F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFFBE7EF=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFFDCEE3=F:\COMPUSERVE\CS3\CS3.EXE

*FFF5679B=C:\WINDOWS\SYSTEM\RNAAPP.EXE

*FFF5507B=C:\WINDOWS\SYSTEM\TAPISRV.EXE

*FFFBFABB=D:\COMPUSERVE\WBIN\FCSERV32.EXE

*FFF7302F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

*FFF5C9DB=C:\WINDOWS\SYSTEM\DDHELP.EXE

*FFF6A62F=C:\WINDOWS\SYSTEM\SPOOL32.EXE

*FFF68ECF=E:\PROGRAM FILES\DAP\DAP.EXE

*FFFBF5D7=F:\COMPUSERVE\DOWNLOAD\HIJACKTHIS\STARTDRECK\STARTDRE.EXE

»NT Services

»Application specific

 

 

Thanks.

H.D. Hecker

Share this post


Link to post
Share on other sites

Reboot your computer into DOS. Change Directory ('cd') to the C:\Windows\System folder. Delete ('del') the RESCALB.DLL file.

 

Boot back into Windows. Rescan with HJT and post a new log when done.

Share this post


Link to post
Share on other sites

Performed operations per last e-mail and deleted rescalb.dll file. On boot up, had rundll error where it could not find the file.

 

Here is latest HijackThis log file.

 

Thank you.

H.D. hecker

 

Logfile of HijackThis v1.97.7

Scan saved at 6:57:03 PM, on 6/16/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCREGVFY.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

E:\PROGRAM FILES\OFFICE\OFFICE\FINDFAST.EXE

F:\COMPUSERVE\DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT READER\READER\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {247B5394-DB9B-462F-B9D1-B44A431BCB49} - C:\WINDOWS\SYSTEM\LPOLF.DLL (file missing)

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~2\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~2\SNDMON.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - Startup: Quicken Scheduled Updates.lnk = E:\Program Files\QuickenW\bagent.exe

O4 - Startup: Quicken Startup.lnk = E:\Program Files\QuickenW\QWDLLS.EXE

O4 - Startup: Microsoft Find Fast.lnk = E:\Program Files\OFFICE\Office\FINDFAST.EXE

O4 - Startup: Billminder.lnk = E:\Program Files\QuickenW\billmind.exe

O8 - Extra context menu item: Download with Go!Zilla - file://E:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html

O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: SideStep (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7888.7340162037

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab

Share this post


Link to post
Share on other sites

That won't happen next time.

 

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {247B5394-DB9B-462F-B9D1-B44A431BCB49} - C:\WINDOWS\SYSTEM\LPOLF.DLL (file missing)

O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE026.DLL

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O9 - Extra button: SideStep (HKLM)

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} (SideStep IE Inst) - http://download.sidestep.com/get/k00719/sb026.cab

O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

 

Reboot when done, rescan with HJT and post a new log here for a final check over.

Share this post


Link to post
Share on other sites

Below is latest HijackThis file after performing delete operations.

 

Logfile of HijackThis v1.97.7

Scan saved at 7:05:55 PM, on 6/17/04

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE

C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCREGVFY.EXE

E:\PROGRAM FILES\OFFICE\OFFICE\FINDFAST.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

F:\COMPUSERVE\DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT READER\READER\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~2\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init

O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~2\SNDMON.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95 -w3svc

O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe

O4 - HKLM\..\RunServices: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - Startup: Quicken Scheduled Updates.lnk = E:\Program Files\QuickenW\bagent.exe

O4 - Startup: Quicken Startup.lnk = E:\Program Files\QuickenW\QWDLLS.EXE

O4 - Startup: Microsoft Find Fast.lnk = E:\Program Files\OFFICE\Office\FINDFAST.EXE

O4 - Startup: Billminder.lnk = E:\Program Files\QuickenW\billmind.exe

O8 - Extra context menu item: Download with Go!Zilla - file://E:\PROGRAM FILES\GO!ZILLA\download-with-gozilla.html

O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\NPQTPL~1.DLL

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7888.7340162037

O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Template...nloads/outc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potd_x.cab

O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.infotriever.com/bin/ifhelper.cab

 

Thank you.

H.D. Hecker

Share this post


Link to post
Share on other sites

All programs now seem to be running. thank you very much for your assistance. A contribution to maintain your website, by mail, will be forthcoming.

 

H.D. Hecker

Share this post


Link to post
Share on other sites

You're welcome - glad to help :D and thanks for your support.

 

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0