Looks like my IE has been hijack, could use some help

TEHM · 14-Jul-2003, 04:16 AM #1

Hello;

looks like my Internet explorer has been hijack, could use some help getting rid of the stuff. That's what I get for letting some one else use my computer.

He is the scan from Hijack this:

Logfile of HijackThis v1.95.0
Scan saved at 12:12:37 AM, on 5/13/03
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MSINPUT\MOUSE\POINT32.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\PROGRAM FILES\AWORKS\SOLOTRAY.EXE
C:\TOOLS_95\IMGICON.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\WINDOWS\RUNDLL16.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://sharempeg.com/find/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://sharempeg.com/find/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
F0 - system.ini: Shell=Explorer.exe rundll16.exe
O1 - Hosts: 64.135.204.60 top.darkcollection.com
O1 - Hosts: 64.135.204.60 www.lolitas-hard.com
O1 - Hosts: 64.135.204.60 cybernymphets.com
O1 - Hosts: 64.135.204.60 lolitascastle.com
O1 - Hosts: 64.135.204.60 darkcollection.com
O1 - Hosts: 64.135.204.60 shylolita.com
O1 - Hosts: 64.135.204.60 www.cybernymphets.com
O1 - Hosts: 64.135.204.60 ww.shylolita.com
O1 - Hosts: 64.135.204.60 www.dark-collections.com
O1 - Hosts: 64.135.204.60 undergroundlolitastudio.com
O1 - Hosts: 64.135.204.60 www.undergroundlolitastudio.com
O1 - Hosts: 64.135.204.60 dark-video.com
O1 - Hosts: 64.135.204.60 www.dark-video.com
O1 - Hosts: 64.135.204.60 mansuckgirls.com
O1 - Hosts: 64.135.204.60 www.mansuckgirls.com
O1 - Hosts: 64.135.204.60 lolitaskingdom.com
O1 - Hosts: 64.135.204.60 www.lolitaskingdom.com
O1 - Hosts: 64.135.204.60 realnymphets.com
O1 - Hosts: 64.135.204.60 www.realnymphets.com
O1 - Hosts: 64.135.204.60 wild-nymphets.com
O1 - Hosts: 64.135.204.60 top.wild-nymphets.com
O1 - Hosts: 64.135.204.60 ruslolitas.biz
O1 - Hosts: 64.135.204.60 www.ruslolitas.biz
O1 - Hosts: 64.135.204.60 play-lolita.com
O1 - Hosts: 64.135.204.60 archive.play-lolita.com
O1 - Hosts: 64.135.204.60 duvx.com
O1 - Hosts: 64.135.204.60 www.duvx.com
O1 - Hosts: 64.135.204.60 www.lolitazone.com
O1 - Hosts: 64.135.204.60 www.lolit.net
O1 - Hosts: 64.135.204.60 lol.to
O1 - Hosts: 64.135.204.60 www.lol.to
O1 - Hosts: 64.135.204.60 starbbs.pe.kg
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA4} - C:\WINDOWS\TEMP\DBLC.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SystemAgent] C:\WINDOWS\SYSTEM\SAGE.EXE
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\MOUSE\point32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O4 - Startup: Mixer Taskbar Icon.lnk = C:\Program Files\AWORKS\SOLOTRAY.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\TOOLS_95\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\TOOLS_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\TOOLS_95\IOWATCH.EXE
O4 - Startup: EZ-S.M.A.R.T..lnk = C:\Program Files\EZSMART\EZSMART.exe
O4 - Startup: EZ-S.M.A.R.T.lnk = C:\Program Files\NetMeeting\CB32.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .avi: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

tpb · 14-Jul-2003, 05:05 AM #2

First, As a precaution go here and download Exefix08.com.
http://home.earthlink.net/~rmbox/Ret...d/Only_IE.html

Run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://sharempeg.com/find/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
F0 - system.ini: Shell=Explorer.exe rundll16.exe

All O1 - Hosts:

O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFA4} - C:\WINDOWS\TEMP\DBLC.DLL

After rebooting delete rundll16.exe. If you have any problems running .exe's run Exefix08.com. If not, just delete Exefix08.com.

TEHM · 14-Jul-2003, 03:24 PM #3

TPB, thank you for your help !

Here is my "new" scan w/Hijack this. It looks like I still need to deleted rundll16.exe. Is that right ?

Logfile of HijackThis v1.95.0
Scan saved at 3:09:56 PM, on 5/14/03
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MSINPUT\MOUSE\POINT32.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\PROGRAM FILES\AWORKS\SOLOTRAY.EXE
C:\TOOLS_95\IMGICON.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\WINDOWS\RUNDLL16.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SystemAgent] C:\WINDOWS\SYSTEM\SAGE.EXE
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\MOUSE\point32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O4 - Startup: Mixer Taskbar Icon.lnk = C:\Program Files\AWORKS\SOLOTRAY.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\TOOLS_95\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\TOOLS_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\TOOLS_95\IOWATCH.EXE
O4 - Startup: EZ-S.M.A.R.T..lnk = C:\Program Files\EZSMART\EZSMART.exe
O4 - Startup: EZ-S.M.A.R.T.lnk = C:\Program Files\NetMeeting\CB32.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .avi: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Again, thank you very much for your help. The next thing I need to do is how to find "winsock2" in order to use "spybot". Spybot saids that is what I need to run the software.

TEHM

TEHM · 14-Jul-2003, 03:29 PM #4

TPB

At least now I am able to look things up on "google", where as before I couldn't. I couldn't download anything from the net. My computer seems to be running much better now.

Thanks again;

TEHM

Flrman1 · 14-Jul-2003, 03:56 PM #5

Yes you still need to delet the rundll16.exe folder.

Flrman1 · 14-Jul-2003, 03:59 PM #6

Look here http://www.microsoft.com/windows95/d...s2/Default.asp concerning the winsock2 error.

TEHM · 14-Jul-2003, 11:27 PM #7

Hello flrmen1;

Just want to ask what is rundll16.exe ? When I search files and folders it listed that plus about 10 other folders. The last one said that if I needed to reload ie 5.5 I would need that folder unless I deleted it, in which I would need to download it again from MS.

Just asking !

TEHM

tpb · 15-Jul-2003, 05:08 AM #8

Rundll16.exe is a virus. It is still listed as a running process, Did you reboot after fixing with HT?

TEHM · 15-Jul-2003, 11:29 PM #9

Hey guys;

I went back over the thread posted to see what I missed, and I messed one or two things. So I ran another HJT scan and look at what was there. Then I went into C:\windows and deleted rundll.16exe. Plus I ran the EXEfixo8 just to be safe. Things seem to be running find now. The only thing I don't seem to be sure of is doing the update on winsock2. It dam confusing ! But anyway here is the "new" scan. If I get brave enough to do the winsock2 update I'll come back to see if you guys can help me.

Logfile of HijackThis v1.95.0
Scan saved at 11:24:17 PM, on 7/15/03
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\MSINPUT\MOUSE\POINT32.EXE
C:\WINDOWS\RunDLL.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 95\DMHKEY.EXE
C:\PROGRAM FILES\AWORKS\SOLOTRAY.EXE
C:\TOOLS_95\IMGICON.EXE
C:\TOOLS_95\IOWATCH.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.lycos.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SystemAgent] C:\WINDOWS\SYSTEM\SAGE.EXE
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\MOUSE\point32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 95\DMHKEY.EXE
O4 - Startup: Mixer Taskbar Icon.lnk = C:\Program Files\AWORKS\SOLOTRAY.EXE
O4 - Startup: Zip Disk Icons.lnk = C:\TOOLS_95\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\TOOLS_95\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\TOOLS_95\IOWATCH.EXE
O4 - Startup: EZ-S.M.A.R.T..lnk = C:\Program Files\EZSMART\EZSMART.exe
O4 - Startup: EZ-S.M.A.R.T.lnk = C:\Program Files\NetMeeting\CB32.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mov: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\NPQTW32.DLL
O12 - Plugin for .wav: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .avi: C:\Progra~1\Netscape\Navigator\Program\PLUGINS\npavi32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

Thanks so very much you guys for the help and getting me running right.

TEHM

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)