hijackthislog

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
Background info: wind98 os, internet explorer6.

error message on screen 'this program has performed an
illegal operation and will be shut down'
the details are
'EXPLORER caused an invalid page fault in
module EXPLORER.EXE at 0167:0040dcf7.
Registers:
EAX=00000000 CS=0167 EIP=0040dcf7 EFLGS=00010246
EBX=00000000 SS=016f ESP=0093fe90 EBP=0093feb4
ECX=0093ffbc DS=016f ESI=00000000 FS=3ccf
EDX=0043003c ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
8b 38 85 ff 7e 19 56 ff 35 70 50 41 00 ff 15 00
Stack dump:
00000000 00530478 0040dd5f 00000000 00530478 00530478
00000102 0093fec8 6680e03b 0093fef8 0040b5fc 00000344
00435f14 00435450 00000001 50003f2f'
am still able to open internet explorer, but if i
chose 'close' on the error message it closes all opened
pages and folders that are open at the time, shutdown firewall and anti virus and the message reappears within seconds. have run upto date
antivirus software with nothing found. tried 'ctrl-alt-
del' to end the explorer program but it wont close. the
windows start button on the toolbar has also been frozen
scince about the same time is this connected.have downlaoded latest verisions of spybot ( 53 problems fixed) and adware (54 problems fixed) and CWShreadder ( no problems) , and then HijackThis and the log below, any help with log would be gratefully accepted.



Logfile of HijackThis v1.98.2
Scan saved at 19:47:46, on 16/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\PROGRAM FILES\AVG\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVG\AVGCC32.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\APPLICATION DATA\BAER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Unison
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\AVG\avgcc32.exe /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SH] c:\program files\seti\setihide.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe
O4 - HKLM\..\Run: [cmd32] C:\configs.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\AVG\Avgserv9.exe
O4 - HKLM\..\RunServices: [SH] c:\program files\seti\setihide.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mtes] C:\WINDOWS\Application Data\baer.exe
O4 - Startup: Office.lnk = C:\Program Files\Office\Office\OSA.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Ulster Bank AnyTime - https://anytime3.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05beabd85dc...xIE601.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - its:mhtml:file://c:\MAIN.MHT!http://213.159.117.237:4000/buka.chm::/x.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL (file missing)
O21 - SSODL: System - {382D1340-BAFD-11D8-ACDD-0080AD00E7B5} - C:\WINDOWS\system32\system32.dll


Paddyirishman!! :)
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi shaz2004- Do you still need help with this problem?

There are some people who could help with this...
Don't know why it was overlooked but I do know things have been awful busy lately!

There is usually a solution for this hijack, which may just solve the Explorer error messages you have. The step by step method must be followed however in one pass, and it may be run from Safe Mode. You cannot open Internet Explorer during the process, and should do it all in one sitting, which may take some time. Plan accordingly, if indeed you still need help...

You will not be able to view the forum thread with directions- you can choose to print them out using the "Thread Tools> Printable Version" button at the top of this page, which will print all the posts in this thread, unless you tell the printer to print only the last page or two...or, you highlight the text of the post with your directions...and print that. Sometimes that will not work from Internet Explorer but you can try it.

One other thing to do, is copy the posting with the directions to a blank Notepad file, name it TSGhelp.txt or something...and place it on the desktop or save it to a floppy disk.
 

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
bytneman,
still need help if u have a solution to the problem. No problemwith printing a solution.
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, OK, I will be getting some help for you pretty soon, but I do want to make it plain to you that with the error you are seeing, there is a chance that you will end up in a no-boot situation. You may need a startup floppy disk, make one immediately however you need one that is virus free> If you have another pc to use to read this thread, hold off on using the bad one as much as possible, OK?


You make a bootdisk by going to Add/Remove Programs> Startup Disk and place a floppy disk in drive A: follow the prompts to make the disk. Better ones are available by download:

www.bootdisk.com

Get the file downloaded to your DESKTOP> not the floppy, and run the file, it will prompt you to put in a disk, etc. Use download for win98. You can make the bootdisk on another pc. Write protect it by pulling the lock tab on the back to lock position.

The type of hijack you have may need some special attention, I am going to ask someone to have a look at the log, hang on and as soon as they reply get to work!
I would assume you have saved anything important to disk, CD etc....
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,645
Before you proceed with those instructions, please move Hijack This into its own folder in program files or my documents but not in the temporary files or on the desktop, so it can create proper back-ups and restore them if necessary.

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>

O4 - HKLM\..\Run: [SH] c:\program files\seti\setihide.exe

O4 - HKLM\..\Run: [update32] C:\windows\configs.exe

O4 - HKLM\..\Run: [cmd32] C:\configs.exe

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

O4 - HKLM\..\RunServices: [SH] c:\program files\seti\setihide.exe

O4 - HKCU\..\Run: [Mtes] C:\WINDOWS\Application Data\baer.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/05beabd85dc...xIE601.cab

O16 - DPF: {10003000-1000-0000-1000-000000000000} - its:mhtml:file://c:\MAIN.MHT!http://213.159.117.237:4000/buka.chm::/x.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/win...nsearchie32.exe

O18 - Protocol: start - {53B95211-7D77-11D2-9F81-00104B107C96} - C:\WINDOWS\SYSTEM\MSXWORD.DLL (file missing)

O21 - SSODL: System - {382D1340-BAFD-11D8-ACDD-0080AD00E7B5} - C:\WINDOWS\system32\system32.dll


Then boot to safe mode (see how below), locate and delete these files and/or folders:

c:\program files\seti - folder
C:\windows\configs.exe - file
C:\WINDOWS\realtime.exe - file
C:\WINDOWS\Application Data\baer.exe - file
C:\WINDOWS\SYSTEM\MSXWORD.DLL - file
C:\WINDOWS\system32\system32.dll - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

These files may be hidden so please do this:

Open My Computer.
Select the View menu and click Folder Options.
Select the View Tab.
In the Hidden files section select “show all files”
Click OK

Then reboot and post another log please.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,645
This hijack is known to alter the hosts files as well.

Navigate to the C:\Windows\System32\drivers\etc folder. Locate the HOSTS file. Open the HOSTS file in notepad by clicking on it to open it. It will ask you what program you want to use to open it. Tick "Select the program from a list" and click OK. In the menu of programs that opens find and select notepad and click OK. The HOSTS file will open in notepad. Look for a list like this:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

Delete all those lines leaving only this one:

127.0.0.1 localhost

Now close the file and answer Yes to confirm the changes.
 

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
the following happened,these were not on Hijackthis file,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
O4 - HKLM\..\Run: [update32] C:\windows\configs.exe

O4 - HKLM\..\Run: [cmd32] C:\configs.exe

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

I delete the rest.
in safe mode, the following files were not there to delete;

C:\windows\configs.exe - file
C:\WINDOWS\realtime.exe - file
C:\WINDOWS\SYSTEM\MSXWORD.DLL - file
I had selected show all files.
could not locate HOSTS file to alter.
Problesm still are the same. i have included the HIJACKTHIS latest file,
THNKS FOR THE HELP SOFAR.
ogfile of HijackThis v1.98.2
Scan saved at 21:03:14, on 19/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\AVG\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVG\AVGCC32.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Unison
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7FB1AA65-0994-11D9-ACDD-0080D656B6C2} - C:\WINDOWS\SYSTEM\GOND.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\AVG\avgcc32.exe /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\AVG\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office.lnk = C:\Program Files\Office\Office\OSA.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Ulster Bank AnyTime - https://anytime3.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - its:mhtml:file://c:\MAIN.MHT!http://213.159.117.237:4000/buka.chm::/x.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O18 - Filter: text/html - {7FB1AA64-0994-11D9-ACDD-0080B91A1359} - C:\WINDOWS\SYSTEM\GOND.DLL
O18 - Filter: text/plain - {7FB1AA64-0994-11D9-ACDD-0080B91A1359} - C:\WINDOWS\SYSTEM\GOND.DLL
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,645
Download StartDreck from: http://www.niksoft.at/_data/startdreck.zip

Unzip the startdreck.zip file first. Doubleclick: 'StartDreck.exe'

First click on the config button.
Now click the Unmark all button

Put a check by these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >OK.

Now click the Save button to save that log.

Copy and paste the contents of that log back here and await further instructions
 

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
StartDreck (build 2.1.7 public stable) - 2004-09-20 @ 18:54:11 (GMT +01:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as User at SHANAHAN

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Outpost Firewall=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice
*AVG_CC=C:\PROGRAM FILES\AVG\avgcc32.exe /startup
*IgfxTray=C:\WINDOWS\SYSTEM\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\SYSTEM\hkcmd.exe
*CriticalUpdate=C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*Outpost Firewall=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
*r_server=C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
*Avgserv9.exe=C:\PROGRA~1\AVG\Avgserv9.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*{7FB1AA65-0994-11D9-ACDD-0080D656B6C2}
`InprocServer32=C:\WINDOWS\SYSTEM\GOND.DLL
»Files
»System/Drivers
»Running Processes
+FF0F2979=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF6DC5=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF65ED=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFF4A3D=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFD595=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFFC58D=C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
+FFFE3539=C:\WINDOWS\SYSTEM\R_SERVER.EXE
+FFFE2F65=C:\PROGRAM FILES\AVG\AVGSERV9.EXE
+FFFD549D=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD4461=C:\WINDOWS\EXPLORER.EXE
+FFFDEF71=C:\WINDOWS\TASKMON.EXE
+FFFDE305=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC1491=C:\PROGRAM FILES\AVG\AVGCC32.EXE
+FFFC4BED=C:\WINDOWS\SYSTEM\HKCMD.EXE
+FFFC98D5=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFCFD59=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFCE20D=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFCD50D=C:\WINDOWS\RunDLL.exe
+FFFB3D45=C:\PROGRAM FILES\OFFICE\OFFICE\OSA.EXE
+FFFBA341=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF23359=C:\MY DOCUMENTS\SEAN\STARTDRECK\STARTDRECK.EXE
»Application specific
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,645
First restart your computer and then scan again with Hijack This and post the fresh log.

Please do this. Click here http://forums.techguy.org/attachment.php?attachmentid=38105 to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservice.bat file. A notepad will open up with a long list of services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.
 

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
Logfile of HijackThis v1.98.2
Scan saved at 02:24:02, on 21/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\PROGRAM FILES\AVG\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVG\AVGCC32.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Unison
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7FB1AA65-0994-11D9-ACDD-0080D656B6C2} - C:\WINDOWS\SYSTEM\GOND.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\AVG\avgcc32.exe /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\AVG\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office.lnk = C:\Program Files\Office\Office\OSA.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Ulster Bank AnyTime - https://anytime3.ulsterbank.com/asp/AnyTime.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - its:mhtml:file://c:\MAIN.MHT!http://213.159.117.237:4000/buka.chm::/x.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O18 - Filter: text/html - {7FB1AA64-0994-11D9-ACDD-0080B91A1359} - C:\WINDOWS\SYSTEM\GOND.DLL
O18 - Filter: text/plain - {7FB1AA64-0994-11D9-ACDD-0080B91A1359} - C:\WINDOWS\SYSTEM\GOND.DLL

downloaded getsevice and got error message running it, the PSSERVICE.EXE file is linked to missing export NETAPI32.DLL:NetServerEnum
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,645
Please download this tool called AboutBuster from:
http://www.downloads.subratam.org/AboutBuster.zip

Created by RubberDucky

Unzip it to your desktop but don't run it yet.

Now start Hijackthis and tick the boxes next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GOND.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {7FB1AA65-0994-11D9-ACDD-0080D656B6C2} - C:\WINDOWS\SYSTEM\GOND.DLL (file missing)

O16 - DPF: Ulster Bank AnyTime - https://anytime3.ulsterbank.com/asp/AnyTime.cab

O16 - DPF: {10003000-1000-0000-1000-000000000000} - its:mhtml:file://c:\MAIN.MHT!http://213.159.117.237:4000/buka.chm::/x.exe

O18 - Filter: text/html - {7FB1AA64-0994-11D9-ACDD-0080B91A1359} - C:\WINDOWS\SYSTEM\GOND.DLL

O18 - Filter: text/plain - {7FB1AA64-0994-11D9-ACDD-0080B91A1359} - C:\WINDOWS\SYSTEM\GOND.DLL


Now close ALL Internet Explorer windows and hit fix checked.
Do not open Internet explorer to come back here until after running the tool.

Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

Once the tool is done scanning, copy the log and paste it into your thread with a new Hijack this log.
 

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
Scanned at: 03:10:36 on: 21/09/04


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!


Logfile of HijackThis v1.98.2
Scan saved at 03:12:51, on 21/09/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\PROGRAM FILES\AVG\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVG\AVGCC32.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Unison
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\OUTPOST.EXE /waitservice
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\AVG\avgcc32.exe /startup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL\outpost.exe /service
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\AVG\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Office.lnk = C:\Program Files\Office\Office\OSA.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,645
The log looks good now. How's everything running?
 

shaz2004

Thread Starter
Joined
Sep 17, 2004
Messages
8
explorer message still there,'program performed an illegal operation and will shut down,EXPLORER caused an invalid page fault in
module EXPLORER.EXE at 0167:0040dcf7.
Registers:
EAX=00000000 CS=0167 EIP=0040dcf7 EFLGS=00010246
EBX=00000000 SS=016f ESP=0093fe90 EBP=0093feb4
ECX=0093ffbc DS=016f ESI=00000000 FS=304f
EDX=00435404 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
8b 38 85 ff 7e 19 56 ff 35 70 50 41 00 ff 15 00
Stack dump:
00000000 00436e7c 0040dd5f 00000000 00436e7c 00436e7c 00000102 0093fec8 6680e03b 0093fef8 0040b5fc 00000344 00437000 00434fbc 00000001 50003f2f

the start button on the toolbar is also not working, no reaction from it at all, if i close down the explorer message it ends all opened windows and folders and shutsdown my firewall and my antivirus software. thanks for your help so far i have deleted a lot of crap, is there a site where all these explorer messages are explained, thsanks again.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top