HijackThis log. Internet Explorer and Notepad not working.

Tomas · 11-14-2004, 05:44 AM

Hi,

If anyone would take the time to help me with this I would be greatful forever!

Windows 98, IE 6. Something bad has entered my computer and always shows worldtracker.biz in my internet browser no matter what URL I try to open. My Notepad.exe has been replaced. I have scanned for viruses with McAfee but this didn't help.

I restarted in safe mode and run Hijack This. This is the log:

Logfile of HijackThis v1.97.7
Scan saved at 13:55:08, on 2004-11-14
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gota.parbricole.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunn...unner1-1-0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...108.6290856482
O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = AndreassonsVideo
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3,212.181.54.2

As a clue, I know the following:

O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
This stuff is from my internet bank.

O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab
This is my genealogy account.

As I said, I will be very greatful if I get help with this!

Thanks in advance!

Best regards,
Tomas

**Horse** · 11-14-2004, 06:06 AM

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

I see that you are using an outdated version of Hijack This. Please download and install the latest version by going to this Site
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE

Please remember to close all other windows, including browsers then click Fix checked.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot into Safe Mode (by tapping the F8 key until the menu appears). Delete the following File indicated in RED if it still exists.

C:\WINDOWS\IAU.EXE

Reboot your System in normal mode.

Run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log so that we can check if your system is clean.

CTSNKY · 11-14-2004, 06:08 AM

Here's a backup copy of Notepad to extract and put in your C:\Windows folder.

Tomas · 11-14-2004, 08:34 AM

Thanks!

First:
CTSNKY,
Notepad.exe didn't work. I get the error message "The NOTEPAD.EXE file is linked to missing export COMDLG32.DLL:PrintDlgExW. I'm using Windows 98 if that's a clue.

Second:
Horse,
I've followed your excellent instructions all the way down to "Run an online scan at Trend Micro or RAV Antivirus."
My internet explorer doesn't work at all now. It can't open anything. (I'm writing this on another computer.)

Here's a new Hijack This log:
Logfile of HijackThis v1.98.2
Scan saved at 17:18:41, on 2004-11-14
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SMARTTRUST\SMARTTRUST PERSONAL\CSP\SMARTCERTMOVER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gota.parbricole.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunn...unner1-1-0.cab
O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = AndreassonsVideo
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3,212.181.54.2

How about these lines:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

I don't think I use any proxy server?

Best regards,
Tomas

CTSNKY · 11-14-2004, 08:47 AM

Hi Tomas,

You can the replacement DLL for the one that's missing here. Unzip and put it into your C:\Windows\System32 folder.

Back to the log....

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

If your connectivity problems persist, also download WinsockFix and unzip it. Then double-click on it to run it.

Tomas · 11-14-2004, 11:43 AM

My Internet Explorer seems to work fine now. I had to reset the start page but after that everything looks as it used to. (I'm writing this from the "bad" computer!

)

The notepad issue: I haven't replaced the dll yet. All my dll:s seems to be in the System catalog, not the System32 and comdlg32.dll is there.

Here's the latest Hijack This log:
Logfile of HijackThis v1.98.2
Scan saved at 19:24:14, on 2004-11-14
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SMARTTRUST\SMARTTRUST PERSONAL\CSP\SMARTCERTMOVER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gota.parbricole.se/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunn...unner1-1-0.cab
O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = AndreassonsVideo
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3,212.181.54.2

Thanks!!!
Tomas

CTSNKY · 11-14-2004, 12:42 PM

Glad to hear it's "cured". Post a new thread in the WinME forum, if you want more help with Notepad.

Your log is indeed clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided.

11-14-2004, 05:44 AM	#1 (permalink)
Tomas Registered User Join Date: Nov 2004 Posts: 27 OS: Win98/Me/XP	HijackThis log. Internet Explorer and Notepad not working. Hi, If anyone would take the time to help me with this I would be greatful forever! Windows 98, IE 6. Something bad has entered my computer and always shows worldtracker.biz in my internet browser no matter what URL I try to open. My Notepad.exe has been replaced. I have scanned for viruses with McAfee but this didn't help. I restarted in safe mode and run Hijack This. This is the log: Logfile of HijackThis v1.97.7 Scan saved at 13:55:08, on 2004-11-14 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\EXPLORER.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gota.parbricole.se/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunn...unner1-1-0.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...108.6290856482 O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = AndreassonsVideo O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3,212.181.54.2 As a clue, I know the following: O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe This stuff is from my internet bank. O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab This is my genealogy account. As I said, I will be very greatful if I get help with this! Thanks in advance! Best regards, Tomas

11-14-2004, 06:06 AM	#2 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,127 OS: WIN XP PRO My System Blog Entries: 1	Hello and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. I see that you are using an outdated version of Hijack This. Please download and install the latest version by going to this Site Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE *Please remember to close all other windows, including browsers then click Fix checked.* Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot into Safe Mode (by tapping the F8 key until the menu appears). Delete the following File indicated in RED if it still exists. C:\WINDOWS\IAU.EXE Reboot your System in normal mode. Run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Please post a fresh Hijack This log so that we can check if your system is clean. __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

11-14-2004, 08:47 AM	#5 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Hi Tomas, You can the replacement DLL for the one that's missing here. Unzip and put it into your C:\Windows\System32 folder. Back to the log.... Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. If your connectivity problems persist, also download WinsockFix and unzip it. Then double-click on it to run it. __________________ GO BIG BLUE!!

11-14-2004, 12:42 PM	#7 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Glad to hear it's "cured". Post a new thread in the WinME forum, if you want more help with Notepad. Your log is indeed clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Section and use the tools provided. __________________ GO BIG BLUE!!

11-14-2004, 08:34 AM	#4 (permalink)
Tomas Registered User Join Date: Nov 2004 Posts: 27 OS: Win98/Me/XP	Thanks! First: CTSNKY, Notepad.exe didn't work. I get the error message "The NOTEPAD.EXE file is linked to missing export COMDLG32.DLL:PrintDlgExW. I'm using Windows 98 if that's a clue. Second: Horse, I've followed your excellent instructions all the way down to "Run an online scan at Trend Micro or RAV Antivirus." My internet explorer doesn't work at all now. It can't open anything. (I'm writing this on another computer.) Here's a new Hijack This log: Logfile of HijackThis v1.98.2 Scan saved at 17:18:41, on 2004-11-14 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\SMARTTRUST\SMARTTRUST PERSONAL\CSP\SMARTCERTMOVER.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\DOWNLOAD\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gota.parbricole.se/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunn...unner1-1-0.cab O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = AndreassonsVideo O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3,212.181.54.2 How about these lines: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local I don't think I use any proxy server? Best regards, Tomas

11-14-2004, 11:43 AM	#6 (permalink)
Tomas Registered User Join Date: Nov 2004 Posts: 27 OS: Win98/Me/XP	My Internet Explorer seems to work fine now. I had to reset the start page but after that everything looks as it used to. (I'm writing this from the "bad" computer! ) The notepad issue: I haven't replaced the dll yet. All my dll:s seems to be in the System catalog, not the System32 and comdlg32.dll is there. Here's the latest Hijack This log: Logfile of HijackThis v1.98.2 Scan saved at 19:24:14, on 2004-11-14 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\SMARTTRUST\SMARTTRUST PERSONAL\CSP\SMARTCERTMOVER.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\DOWNLOAD\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gota.parbricole.se/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Certificate Mover.lnk = C:\Program Files\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunn...unner1-1-0.cab O16 - DPF: {A42889C5-62E1-419A-90C2-C9E958D69990} (Genline Family Finder Component) - http://www.genline.se/GFFControl.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = AndreassonsVideo O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 212.181.52.2,212.181.52.3,212.181.54.2 Thanks!!! Tomas