I'm asking again nicely-PLEASE

lovey · 09-19-2004, 05:58 PM

--------------------------------------------------------------------------------

I don't know if this is proper, but no one replied, so I'm submitting again.

Windows 98-seems like my browser was hijacked. Home page was changed to "on-search.com". But I don't have internet access anymore. DSL is working fine on other computer. I ran ad-aware, cwshredder, anti-virus software- items were found, but still no access. Bazooka couldn't access internet to complete the job. I've spent hours in the registry deleting lines. I uninstalled IE6 and tools, IE5, reinstalled win98 twice, still no access. I loaded AOL and got some entertainment pages, but when I tried to get on the web, I couldn't. The message mentioned Internet Explorer as a reason for no access. I tried to install netscape, but it told me I have no access. Verizon's software seems ok-they told me nothing's wrong. As I mentioned earlier, their dsl modem works on my other system. Could there be a hardware problem? I've changed/reset my homepage so many times and it never takes. HijackThis hasn't made any diference so far. Any suggestions welcome. Thanks
Logfile of HijackThis v1.97.7
Scan saved at 2:31:03 PM, on 9/18/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INETM\SERVICES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\ACS495\MIXGHOST.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\NZIGND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HPLAMPC.EXE
C:\AMERICA ONLINE 4.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.1.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
F1 - win.ini: run=C:\WINDOWS\INETM\SERVICES.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.01.05.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [a-winpoet-service] "c:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [pbviyiach] C:\WINDOWS\SYSTEM\nzignd.exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [5-2-145-6] c:\program files\Webdialer\5-2-145-6.exe -m
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system\lsp.dll' missing
O11 - Options group: [TB] Toolbar
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab

**DumberDrummer** · 09-19-2004, 07:06 PM

I think I see the culprit.

I'm sorry no one got to your post earlier. Please do not start another thread, as this forum is already bustling to the max, and you will get better help. Just post a message like "Bump" or "Putting this back to the top" in your thread. Please read the stickies at the top.

And now for the fixing...

I know you've run adaware, but I don't know if you used these instructions

Quote:

Download Adaware SE

Install the program and launch it.

Firstly, in the main window, look toward the bottom right corner and click on Check for updates now and download the latest reference files.

Now, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left at the top) to access the preferences/settings window

In the General window make sure the following are selected:

> Automatically save log-file
> Automatically quarantine objects prior to removal
> Safe Mode (always request confirmation)

Click on the Scanning button on the left and select:

> Scan Within Archives
> Scan Active Processes
> Scan Registry
> Deep Scan Registry
> Scan my IE favorites for banned URL’s
> Scan my Hosts file
> Under Click here to select drives + folders, choose:
> The hard drive(s) you want scanned

Click on the Advanced button on the left and select:

> Include additional process information
> Include additional file information
> Include environment information

Click the Tweak button and select:

Under the Scanning Engine:

> Unload recognized processes & modules during scan
> Include additional Ad-aware settings in logfile

Under the Cleaning Engine:

> Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer.

Then download LSPFix
Run it, and press Finish. That should restore your internet access, I hope.

Then Download HJT 1.8.x from my signature, as yours is out of date, and post a new log.

lovey · 09-20-2004, 08:12 AM

Sorry for second thread- I wasn't sure what to do. The ad-aware scan that you instructed ran fine, but showed no bugs. I ran LSPFix and internet access was restored (thank you). Now, I have an On-Search.Com toolbar that I can't get rid of. I tried to get on to techsupportforum.com but IE wants to close as the page is loading. Here is the HijackThis scan. Thanks again for your time and help.

Logfile of HijackThis v1.97.7
Scan saved at 9:41:37 AM, on 9/20/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INETM\SERVICES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\ACS495\MIXGHOST.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\NZIGND.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\HPLAMPC.EXE
C:\AMERICA ONLINE 4.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTH.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.47:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
F1 - win.ini: run=C:\WINDOWS\INETM\SERVICES.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.01.05.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [a-winpoet-service] "c:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [pbviyiach] C:\WINDOWS\SYSTEM\nzignd.exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [5-2-145-6] c:\program files\Webdialer\5-2-145-6.exe -m
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe
O11 - Options group: [TB] Toolbar
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

greyknight17 · 09-20-2004, 08:31 AM

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis.

Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com.

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\INETM\SERVICES.EXE
C:\WINDOWS\SYSTEM\NZIGND.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

TV Media

Check and fix the following in HijackThis if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
F1 - win.ini: run=C:\WINDOWS\INETM\SERVICES.EXE
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.01.05.dll
O4 - HKLM\..\Run: [pbviyiach] C:\WINDOWS\SYSTEM\nzignd.exe
O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE
O4 - HKCU\..\Run: [5-2-145-6] c:\program files\Webdialer\5-2-145-6.exe -m
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE
O11 - Options group: [TB] Toolbar
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\INETM\SERVICES.EXE
C:\TV MEDIA\
C:\WINDOWS\SYSTEM\nzignd.exe
c:\program files\Webdialer\

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided.

lovey · 09-20-2004, 12:10 PM

Thank you for all your time and help over the past few days. My system is up and running again. I intend to stop using IE and switch to another browser to reduce the chances of being hijacked in the future. Do you have any suggestions?

Again, thanks to all you folks who run this site.

**DumberDrummer** · 09-20-2004, 12:56 PM

GK17 provided an excellent link to a spyware prevention site.

As for secure browsers, if you are really sick of IE, I would recommend Firefox or Mozilla, both distributed by Mozilla. The main difference is that Firefox is just a browser, but Mozilla has an HTML editor, an IRC client, a mail client, and a browser.

www.mozilla.org.

Though it has been my experience that usually the browser does not deter spyware from getting on your system as much as just watching what you download and install, and view online.

greyknight17 · 09-21-2004, 12:04 PM

Make sure to post a new HijackThis log file. We need to verify that it's actually all cleaned up after that fix.

09-19-2004, 05:58 PM	#1 (permalink)
lovey Registered User Join Date: Sep 2004 Location: nyc Posts: 4 OS: win98	I'm asking again nicely-PLEASE -------------------------------------------------------------------------------- I don't know if this is proper, but no one replied, so I'm submitting again. Windows 98-seems like my browser was hijacked. Home page was changed to "on-search.com". But I don't have internet access anymore. DSL is working fine on other computer. I ran ad-aware, cwshredder, anti-virus software- items were found, but still no access. Bazooka couldn't access internet to complete the job. I've spent hours in the registry deleting lines. I uninstalled IE6 and tools, IE5, reinstalled win98 twice, still no access. I loaded AOL and got some entertainment pages, but when I tried to get on the web, I couldn't. The message mentioned Internet Explorer as a reason for no access. I tried to install netscape, but it told me I have no access. Verizon's software seems ok-they told me nothing's wrong. As I mentioned earlier, their dsl modem works on my other system. Could there be a hardware problem? I've changed/reset my homepage so many times and it never takes. HijackThis hasn't made any diference so far. Any suggestions welcome. Thanks Logfile of HijackThis v1.97.7 Scan saved at 2:31:03 PM, on 9/18/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\INETM\SERVICES.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE C:\ACS495\MIXGHOST.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\NZIGND.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\RunDLL.exe C:\WINDOWS\SYSTEM\HPLAMPC.EXE C:\AMERICA ONLINE 4.0\AOLTRAY.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.1.47:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL F1 - win.ini: run=C:\WINDOWS\INETM\SERVICES.EXE O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.01.05.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [a-winpoet-service] "c:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [pbviyiach] C:\WINDOWS\SYSTEM\nzignd.exe O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [5-2-145-6] c:\program files\Webdialer\5-2-145-6.exe -m O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe O10 - Broken Internet access because of LSP provider 'c:\windows\system\lsp.dll' missing O11 - Options group: [TB] Toolbar O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab

09-20-2004, 08:12 AM	#3 (permalink)
lovey Registered User Join Date: Sep 2004 Location: nyc Posts: 4 OS: win98	thanks for help, but still hijacked Sorry for second thread- I wasn't sure what to do. The ad-aware scan that you instructed ran fine, but showed no bugs. I ran LSPFix and internet access was restored (thank you). Now, I have an On-Search.Com toolbar that I can't get rid of. I tried to get on to techsupportforum.com but IE wants to close as the page is loading. Here is the HijackThis scan. Thanks again for your time and help. Logfile of HijackThis v1.97.7 Scan saved at 9:41:37 AM, on 9/20/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v4.72 SP1 (4.72.3110.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\INETM\SERVICES.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE C:\ACS495\MIXGHOST.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\NZIGND.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE C:\WINDOWS\RunDLL.exe C:\WINDOWS\SYSTEM\HPLAMPC.EXE C:\AMERICA ONLINE 4.0\AOLTRAY.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\HIJACKTH.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.47:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL F1 - win.ini: run=C:\WINDOWS\INETM\SERVICES.EXE O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.01.05.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Colorific Control Panel] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [a-winpoet-service] "c:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [pbviyiach] C:\WINDOWS\SYSTEM\nzignd.exe O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [5-2-145-6] c:\program files\Webdialer\5-2-145-6.exe -m O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Verizon Online\WinPoET\Verizon Online.exe O11 - Options group: [TB] Toolbar O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

09-20-2004, 08:31 AM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	You have an outdated version of HijackThis. Click here to get the latest version of HijackThis. Make sure to update Windows and Internet Explorer at http://windowsupdate.microsoft.com. Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\INETM\SERVICES.EXE C:\WINDOWS\SYSTEM\NZIGND.EXE Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: TV Media Check and fix the following in HijackThis if they still exist (make sure not to miss any): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://on-search.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL F1 - win.ini: run=C:\WINDOWS\INETM\SERVICES.EXE O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inetm\1.01.05.dll O4 - HKLM\..\Run: [pbviyiach] C:\WINDOWS\SYSTEM\nzignd.exe O4 - HKLM\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE O4 - HKCU\..\Run: [5-2-145-6] c:\program files\Webdialer\5-2-145-6.exe -m O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INETM\SERVICES.EXE O11 - Options group: [TB] Toolbar O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\INETM\SERVICES.EXE C:\TV MEDIA\ C:\WINDOWS\SYSTEM\nzignd.exe c:\program files\Webdialer\ Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read the anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

09-20-2004, 12:10 PM	#5 (permalink)
lovey Registered User Join Date: Sep 2004 Location: nyc Posts: 4 OS: win98	My universe is safe once again Thank you for all your time and help over the past few days. My system is up and running again. I intend to stop using IE and switch to another browser to reduce the chances of being hijacked in the future. Do you have any suggestions? Again, thanks to all you folks who run this site.

09-20-2004, 12:56 PM	#6 (permalink)
DumberDrummer Cymru am byth Join Date: Oct 2003 Location: Oregon Posts: 5,377 OS: Windows XP Pro SP2 My System	GK17 provided an excellent link to a spyware prevention site. As for secure browsers, if you are really sick of IE, I would recommend Firefox or Mozilla, both distributed by Mozilla. The main difference is that Firefox is just a browser, but Mozilla has an HTML editor, an IRC client, a mail client, and a browser. www.mozilla.org. Though it has been my experience that usually the browser does not deter spyware from getting on your system as much as just watching what you download and install, and view online. __________________ Living with Louie dog's the only way to stay sane _____________________________________________ ... and with those words so begins my lifetime of longing for the devil's warm embrace

09-21-2004, 12:04 PM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Make sure to post a new HijackThis log file. We need to verify that it's actually all cleaned up after that fix. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools